Re: mass check tips and tricks - need advice
Damn, I thought I had you in my junk list - play nice spammer and keep one address? On Sun, 17 Feb 2013 08:34:15 -0800, Marc Perkel wrote: >OK - I'm getting mass checking set up and working. I'm still in the >testing phase. > >Right now the process of selecting spam and ham is automated. It's not >manually selected. Is that a problem? > >I'm only including email streams that I'm sure of. The spam comes from >sources that are on multiple black lists, URIBL links, and committed >other sins that only spammers do, and SA scores over 15.. The white list >is from 100% trusted sources. Eventually I hope to include some hand >sorting of messages in the middle but for now these are extreme ham and >spam. > >Looks like it takes me 70 minutes to process 46k messages. I'll probably >process 100k messages nightly and they will all be fresh. > >Right now I'm going through to verify the ham and spam just to ensure >it's accurate and doesn't contain anything that shouldn't be there. Not >reading every message but not finding any errors. > >Looking for advice at this point about anything I should be doing that >I'm not, or any useful feedback.
Re: Bayes database in mysql on multiple servers
On Wed, 30 Nov 2011 15:14:33 + (UTC), Walter Hurry wrote: >On Wed, 30 Nov 2011 09:11:49 +0100, Robert Schetterer wrote: > >> Am 30.11.2011 09:06, schrieb Matus UHLAR - fantomas: >>> On 30.11.11 00:17, Alex wrote: I have two fedora15 boxes that process mail for a few domains, and recently set up bayes in mysql for each of them. The servers are in geographically different locations, a few hops from each other. Since they both process mail for the same domains, I thought it made sense to share the database between them. What's the best way to do this? Set one as a master and the other as a slave, or perhaps replication between them? I also thought about something like drbd, but that seems a bit excessive for just a database. >> >> dont use drbd with mysql store, you dont need it >>> >>> I think this is question for MySQL mailing list, not for SA. >>> >> you can use i.e master-master replication ( which i do ), but be aware >> you might get doubles with bayes store, this should be ignored >> >> but i am told PostgreSQL is better in replacation stuff > >Why replicate? Why not just share the same database? No failover with shared. Distributed adds redundancy. KR Nigel
Re: Not sure if this is old or new
On Wed, 21 Sep 2011 17:08:42 +0200, Matus UHLAR - fantomas wrote: >On 20.09.11 18:57, Nigel Frankcom wrote: >>I moved SA to a newer box and have the following output in my logs: >>http://pastebin.com/VvZfXwAC >> >>Apologies if I'm being dense, but is there a way to trace what may be >>causing this, not the specifics of parentheses or == but the >>particular rule? >> >>All (printable) help gratefully received. > > ># >Compile was succesful. Restarting spamd ># >Stopping spamd: [ OK ] ># >Starting spamd: [ OK ] > >I don't see your problem. Lines 46 to 63. I am guessing one of my rules has an issue, Wondering if there is a way to figure out which rule is triggering this. body_0.xs: In function 'XS_Mail__SpamAssassin__CompiledRegexps__body_0_scan': body_0.xs:123: warning: suggest parentheses around assignment used as truth value
Re: RCVD_IN_SORBS_DUL on my own emails to self
On Sun, 10 Apr 2011 00:59:29 +0200, Michelle Konzack wrote: >Hello rstarkov, > >Am 2011-04-09 15:50:36, hacktest Du folgendes herunter: >> Does your header definitely include an ESMTP marker as per the RFC? Mine >> didn't; that was the real issue. We didn't find a bug in this rule. So I >> guess SpamAssassin doesn't have a way to find out that you were >> authenticated and that it was your own message. > >Yes, look into my previous message... > >However, I find SORBS too errorprone and not very reliabel! > >Thanks, Greetings and nice Day/Evening >Michelle Konzack I'd agree that one in spades. I'm still getting stuff bounce from cached entries months after I cleared the last SORBS issue. That was the 3rd time I've had to do so and I've been on static from the get go (15 years +). My ISP didn't help overly. BT decided that all issues relating to rbl's are abuse issues and should be dealt with by that department; it might have helped if they told said department and actually trained the poor sods. Saying that, no amount of training helps with SORBS. IMVHO SORBS gives rbl's an undeserved bad name. Additionally, BT's approach of 'we are big ergo you do what we say' doesn't add much in the way of help either. After many years I'm moving off BT, though that is because of their billing and the incompetence there makes their rbl handling look like it's 6 sigma. I've defended BT for years, seems I was naive. Expect to see me in SORBS soon :-D Nigel
Re: Performance on Spear Phishing?
On Fri, 18 Mar 2011 04:22:40 +0100, Karsten Bräckelmann wrote: >On Thu, 2011-03-17 at 12:58 +0000, Nigel Frankcom wrote: >> Unrelated but reminded me I hadn't posted a thanks to all those that >> responded about the sa-update rules. That's partly because I'm >> awaiting permission from clients to add their mails to the corpus. > >Unrelated indeed. ;) That short rant of mine was not meant as a broad >reminder to send your 'thank you's after each post, less so to collect >them now -- but really triggered by that one particular instance. > >There are a bunch of circumstances (some slightly buried down the end) >outlined in my previous post, which, each on their own, if avoided, are >likely to not have triggered my reaction in the first place. In other >words, just try to engage in the community, and don't forget basic >(old-school) net-iquette, and we all should get along just fine. :) > >> So, thanks all. Apologies for forgetting my manners. >> >> Have no clue about Spear Phishing other than it's best to be the one >> with the spear. :-) > >Or the hammer. Hi Karsten, Having been using this list for more years than I care to think about I ought to know my manners better. It was a timely reminder, it's easy to take the help one gets here for granted. I don't tend to post so much nowadays with workloads etc, but it's the only list I stay subscribed to. I do on occasion sit with a beer on a boring evening and amble through the posts, and, occasionally, I note things with my setup that seem a bit off. Without wishing to tempt fate, my setup works well for me and works well. Often as not because of advice given in the past by list members; anyway, manners cost nothing and they do have a value for the recipients. All the best Nigel
Re: Performance on Spear Phishing?
Unrelated but reminded me I hadn't posted a thanks to all those that responded about the sa-update rules. That's partly because I'm awaiting permission from clients to add their mails to the corpus. So, thanks all. Apologies for forgetting my manners. Have no clue about Spear Phishing other than it's best to be the one with the spear. :-) On Thu, 17 Mar 2011 04:38:29 +0100, Karsten Bräckelmann wrote: >So this actually is a reply to the last post to your previous thread >"how to disable network tests". Merely changing the subject and pruning >the quote from the body -- surprise -- does NOT make it a new thread. On >the up-side, it appears you at least did read (I mean "keep" here) the >thread. Encouraging. > >There has been a lot of help, advice, and questions concerning your >previous topic, however. The down-side. You did not care to even get >back to a single one of them. Very discouraging. > >Do you really expect anyone to care and try to help a single-shot >question you vent on the list again? > >I for one, bloody don't. > > >On Thu, 2011-03-17 at 06:08 +0400, Hamad Ali wrote: >> Hi folks -- wondering if anyone has monitored SA's performance against >> phishing mails. SA is able to detect 86% of phishing emails my clients > >So you got paying clients. But won't communicate with the community. > >> get, with 0.5% false positives on all the ham. It seems non-phish-SPAM >> is easier to be detected than phish (~99% for non-phish spam). Probably >> I need to participate on nightly checks to improve phish and lower >> false positives. > >Participating in the mass-checks!? Without any communication (hint, two >ways) at all? I don't see that happening.
sa-updates
Hi All, Apologies if this has been covered, an admittedly fairly cursory Google showed nothing new. My local sa-update hasn't updated in the better part of a month. Is it that there have been no updates or do I need to dig into my systems to see what I broke, how and when? Regards to all Nigel
Re: [Asrg] draft-levine-iprangepub-01
On Wed, 29 Dec 2010 15:26:07 -0500, "David F. Skoll" wrote: >On Wed, 29 Dec 2010 21:09:42 +0100 >Matthias Leisi wrote: > >> I'm not sure whether that would be more appropriate for the dev list, >> but I guess this is relevant/of interest to the SpamAssassin project, >> and I don't know whether this has caught attention here yet. > >In the draft, John asserts: > > "For blacklists, an obvious approach would be to limit the granularity >of DNSBLs, so that, say, each /64 had a separate listing, and the >queries only used the high 64 bits of each address. While this might >limit the damage from DNSBL queries, it is not helpful for DNS >whitelists, which by their nature list individual IP addresses" > >I'm not sure I agree with that. The smallest unit of IPv6 address >space allocated by a provider (even to an end-user) is likely to be a >/64, so I don't see why whitelists can't list /64's too. Essentially, >I disagree with the phrase "which by their nature list individual IP >addresses". > >Regards, > >DAvid. I'd wonder at the DNS traffic, I may be wrong but this looks like between 4 and 24 look-ups per check. DoS? Nigel
Re: Comment - GFI/SORBS
On Wed, 15 Dec 2010 07:04:18 +, "corpus.defero" wrote: > >> Ultimately, this seems to be more of a witch hunt against SORBS than a >> SA issue. Although I'm not opposed to a SORBS witch hunt, I don't think >> it belongs here. > >Indeed, and it's Lynford and his money grabbing cronies mostly behind it >- hence it lacks sophistication. I guess we all have our opinions based on our experiences. Personally, I've had no issue with zen, though cbl does seem sometimes to have an issue with back-scatter. That said, proper spf should help stop back-scatter. Kind regards Nigel
Re: Comment - GFI/SORBS
This is a long and somewhat complex story. I've been running my own mail for 15+ years or so, always on a fixed IP. A few years ago business picked up so I got some additional IP's from my supplier (BT); it turned out that they were "decommissioned" DUL's renewed as statics. Initially we jumped the hoops (both BT & I) and after several fraught weeks the issue was resolved. Now we hit November 27th this year, suddenly I'm in SORBS again. Nothing changed this end, same IP, same RIPE entry, same everything... apart from SORBS, who, apparently, redid their db at the end of November. Happily I am now clean and clear. How did I really end up there? I've no real idea, I suspect the reload. I really do appreciate the work RBL's do, mostly; it's a thankless task and if the same wit were applied adversely a lot of money could be made. That they are moral and work as they do makes the life of all legit server admins much easier until they get too rabid. For those of you that supply reliable rbl's, please accept my profound thanks. Some maybe "could do better", perhaps those should be carefully judged before inclusion into sa, or perhaps made an optional? All that said, SA isn't the direct problem. Admins blocking purely on, for example, SORBS, should maybe rethink their strategy and adjust scoring on rules within SA. All of the above is my opinion only; I don't think SORBS do a bad job, I just think they could do it better, and maybe accept that we all get it wrong sometimes... Just my 2.5p worth :-D Kind regards Nigel On Tue, 14 Dec 2010 22:41:40 -0500, Jason Bertoch wrote: >On 12/14/2010 8:06 PM, Bart Schaefer wrote: >> http://blog.wordtothewise.com/2010/12/gfi-sorbs-considered-harmful-part-5/ > >I've seen the headaches of getting off SORBS, but how did you really end >up there? > >While I agree that SORBS is not reliable enough for use at the MTA >level, I've not seen one complaint from my customers over using SORBS in >SA. Isn't the beauty of SA the fact that you can score gray areas and >not be stuck with black or white? > >In case it's a mystery, SA scores are automatically generated based on >results from the corpus. If those results weren't productive, the rules >would either be disabled or their scores adjusted even lower. However, >if the corpus isn't representative, the generated scores are in error, >and that means we need more trusted submitters. Or maybe your traffic >is relatively unique and you should already be generating your own scores? > >Ultimately, this seems to be more of a witch hunt against SORBS than a >SA issue. Although I'm not opposed to a SORBS witch hunt, I don't think >it belongs here. > >/$.02
Comment - GFI/SORBS
Hi All, Is sorbs going to be continued as a scoring option in SA? Having hit yet more problems with them I've zeroed their scoring. I found this a couple of days ago, maybe it can add weight. http://blog.wordtothewise.com/2010/12/gfi-sorbs-considered-harmful/ Best to all Nigel
Re: SpamAssassin service file missing after installation
Those are not optional modules. You can either install them from CPAN or from yum (depending on the repo you use) As a rule if it says REQUIRED, it probably is :-) Apologies if this is teaching you to suck eggs: In CPAN type: install Digest::SHA Or in yum, do yum list available and look in the Perl modules for the correct ones then do: yum install Perl-Digest-SHA Hope that helps Nigel On Wed, 27 Oct 2010 01:13:56 -0700 (PDT), Gnanam wrote: > >Hi, > >I'm trying to install SpamAssassin version 3.3.1 on CentOS release 5.2 >(Final). > >During installation, it reported the following REQUIRED & optional module >missing: > >REQUIRED module missing: Digest::SHA >REQUIRED module missing: HTML::Parser >REQUIRED module missing: Net::DNS >REQUIRED module missing: Archive::Tar >REQUIRED module missing: IO::Zlib >optional module missing: Digest::SHA >optional module missing: Mail::SPF >optional module missing: IP::Country >optional module missing: Razor2 >optional module missing: Net::Ident >optional module missing: IO::Socket::INET6 >optional module missing: IO::Socket::SSL >optional module missing: Compress::Zlib >optional module missing: Mail::DKIM >optional module missing: DBI >optional module missing: LWP::UserAgent >optional module missing: HTTP::Date >optional module missing: Encode::Detect > >I then installed all REQUIRED modules along with it's dependencies. But, >I've not installed the optional modules. > >My question is, after installation, spamassassin service file is not >available in the location /etc/init.d/spamassassin. Because of this >'service spamassassin start' says "spamassassin: unrecognized service". >What could be the reason for spamassassin service file missing after >installation? Because this service file is not automatically installed as >part of installation, I've little doubt/fear/confusion whether it would >create any other implications during course of usage. > >NOTE: >1. I'm installing as 'root' user here. >2. Also, I've installed this on RHEL4 and RHEL5, but I don't find this issue >(missing spamassassin service file). >3. I also tried to copy the 'spamassassin' service file from one of my RHEL5 >to this CentOS. It is working fine. > >Regards, >Gnanam
ot/possibly
I've not been paying much attention to the list, silly season and work/home preassures. Of late I've had some truly horrific backscatter issues, enough to pretty much drop my primary mail. I suspect it's an artifact of the server, which is being swapped out, since it only happens on the rdns domain (many other virtuals, all correctly (I think) spf'd). Now I'm seeing stuff walk through looking like this >StartWith 200SlotSpins > >;+4;;crivitzlippiest.com/41614436r&271074362e&17874825c/ > > > > > > > > >SponsorUn-subscribe >;+4;;crivitzlippiest.com/30101624u&271074362e&17874825c/ > > >TransmitterUn-subscribe >;+4;;crivitzlippiest.com/30101625u&271074362e&17874825c/ Raw mail looks the same so nothing hidden. Anyone else seeing similar, Is there perhaps a rule already done or should I write one? As always, all help appreciated. Kind regards Nigel
Re: [OT] was SORBS
On Fri, 30 Apr 2010 17:48:49 +0100, "corpus.defero"
wrote:
>On Fri, 2010-04-30 at 17:19 +0100, Nigel Frankcom wrote:
>> On Fri, 30 Apr 2010 16:59:57 +0100, "corpus.defero"
>> wrote:
>>
>> >On Fri, 2010-04-30 at 16:50 +0100, Nigel Frankcom wrote:
>> >
>> >> We're on a BT only exchange here so it's them or nothing, well not
>> >> quite, I could go CoLo... hmmm maybe not, or satellite, I was involved
>> >> in setting that up in Cyprus.
>> >
>> >> Nigel
>> >Is there such a thing? I appreciate many are not unbundled, but the BTW
>> >agreement means you should have no problems getting a wires-only with
>> >someone like Zen, IDNET or Newnet. Believe me, the service just pee's
>> >over BT.
>> >
>> Fair point. I live in a small village right on the end of a spur.
>> After being burgled at my town offices I moved the whole dammed
>> shebang home and now run it from my own server room.
>There is nothing wrong with that - it makes good environmental sense as
>well as security sense.
>>
>> BT may not be the best, but they (or rather OpenReach) own the lines,
>> exchange and pretty much all else... plus they have helped.
>Having spent 16 years with them I know the ins and outs. Openreach were
>not allowed to show any favouritism to BT customers and went out of
>their way for 'other licensed operators'. Many BT folk of X years
>service found the notion of Openreach rather unpalatable and went out of
>their way to be awkward to native BT customers. I'm not sure if that
>attitude subset still exists but there really was an attitude towards
>all things BT. But good on your for sticking with them.
>>
>> If I go through a third party I end up with at least one more level of
>> 'have you re-booted your router' etc.
>That depends on who you go with. People like Zen, IDNET, aaisp, Newnet
>are actually much better than BT at dealing with issues - and usually
>much more knowledgeable. This SORBS issue would not even be an issue
>with them as they had the brains to sort out their space - rather than
>just try and cluelessly blindmug sell it so SOHO's.
>>
>> Bottom line, I'd rather solve a problem than work round it. As it
>> happens I have a second IP off the range that I could have used, but
>> that would have meant a lot of DNS work etc (and DNS and I are not
>> good friends).
>I admire the spirit and good luck with it. If the Lib Dems win the
>election they may find a whole in their mad ideas to offer treatment for
>those with delusional misguided belief in BT syndrome. (DMBBT).
>>
>> IMHO solving is better than blaming. My original post was a request
>> for advice and help. I got a lot of both... plus a lot of opinion.
>You knew that would happen. Being a BT customer is nearly as bad as
>being a spammer {joke} have a good weekend.
>>
>>
>> Kind regards
>>
>> Nigel
>
The world 'aint perfect, but we work with what we have. I'm just happy
it's sorted. With luck anyone that hits similar issues will pick up on
this and yell.
I may take a line or two off different suppliers to se how close
promises and actuality meet.
Best to all
Nigel
Re: [OT] was SORBS
On Fri, 30 Apr 2010 16:59:57 +0100, "corpus.defero" wrote: >On Fri, 2010-04-30 at 16:50 +0100, Nigel Frankcom wrote: > >> We're on a BT only exchange here so it's them or nothing, well not >> quite, I could go CoLo... hmmm maybe not, or satellite, I was involved >> in setting that up in Cyprus. > >> Nigel >Is there such a thing? I appreciate many are not unbundled, but the BTW >agreement means you should have no problems getting a wires-only with >someone like Zen, IDNET or Newnet. Believe me, the service just pee's >over BT. > Fair point. I live in a small village right on the end of a spur. After being burgled at my town offices I moved the whole dammed shebang home and now run it from my own server room. BT may not be the best, but they (or rather OpenReach) own the lines, exchange and pretty much all else... plus they have helped. If I go through a third party I end up with at least one more level of 'have you re-booted your router' etc. Bottom line, I'd rather solve a problem than work round it. As it happens I have a second IP off the range that I could have used, but that would have meant a lot of DNS work etc (and DNS and I are not good friends). IMHO solving is better than blaming. My original post was a request for advice and help. I got a lot of both... plus a lot of opinion. Kind regards Nigel
Re: [OT] was SORBS
On Fri, 30 Apr 2010 14:22:16 +0100, Martin Gregorie wrote: >On Fri, 2010-04-30 at 08:43 -0400, Lee Dilkie wrote: >> First, I'd like to point out that not everyone has the option of >> changing ISP's. Believe it or not, there are many folks who have only >> one choice for high-speed internet access (myself included). >> >However, that doesn't apply to the OP, who is using British Telecom as >his ISP. My broadband connection goes through the local BT exchange and >copper after that, but BT has never been my ISP. I initially used Demon >as my ISP, switching to my current ISP (who subcontract broadband >connectivity to a third party, *not* BT) when I discovered that Demon >didn't offer a suitable package that included domain registration. > >The OP can do exactly what I did. > >Out of pure curiosity, what is there about the broadband set-up in your >locality that could prevent you from doing something similar? Are both >your broadband provider and your ISP monopolies? > > >Martin > We're on a BT only exchange here so it's them or nothing, well not quite, I could go CoLo... hmmm maybe not, or satellite, I was involved in setting that up in Cyprus. I guess the bottom line is that this is always going to be an issue and it's as much to do with how you deal with your upline suppliers as how you deal with the lists (rbl etc). I may not agree with them all on an individual basis, but life is what it is, I have to work within the constraints imposed on me. I cannot complain about SORBS, though I did, they have a fixed set of rules. If I or my upline provider fails.. well, such is life. BT for what it's worth are very aware of their market and the issues, with luck they and SORBS will open a dialogue. As admins we face and deal with issues every day, sometimes it's nice to know that others out there are listening and, where they can, acting. I have a lot of karma to repay :-D Now, if the SA list would let me post from 'home'. I'd be copacetic :-D All the best Nigel
Re: SORBS
On 20 April 2010 18:29, Benny Pedersen wrote: > On tir 20 apr 2010 19:17:10 CEST, Nigel Frankcom wrote > >> My IP has full rDNS supplied by my ISP - please feel free to ping -a >> 217.36.54.209 and tell me what exactly is wrong wit that? > > http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=217.36.54.209&do_search=Search > > seems static to me :) > > its still your isp that should talk to sorbs > > but okay reverse dns is not things that make it worse > > -- > xpoint http://www.unicom.com/pw/reply-to-harmful.html > > Thanks for that info. It apparently disagrees with mine. mail.blue-canoe.net has address 217.36.54.209 host 217.36.54.209 209.54.36.217.in-addr.arpa domain name pointer mail.blue-canoe.org.uk. host mail.blue-canoe.org.uk mail.blue-canoe.org.uk has address 217.36.54.209 Which of us is wrong? Nigel
Re: SORBS
On 20 April 2010 18:07, Benny Pedersen wrote: > On tir 20 apr 2010 18:56:37 CEST, John Hardin wrote >>> >>> not correct, hotmail gmail yahoo works without isp dependice, why care ? >> >> You're kidding, right, Benny? > > does it looks so ? > >> Why care that the ISP providing my IP addresses can't be bothered to >> properly manage it? > > manage what ?, dynamic ip ranges changes to static ? > >> Are you saying that freemail services or ISP-provided mail accounts are >> all anyone needs? > > in a perfekt world yes > > this thread here flames sorbs for listning dul ranges and users dont > understand what it means :( > > flames should really go to isps selling over prissed internet lines that > does not work as expected to users that paid > > -- > xpoint http://www.unicom.com/pw/reply-to-harmful.html > > SORBS checked that IP range last in 2006
Re: SORBS
My IP has full rDNS supplied by my ISP - please feel free to ping -a 217.36.54.209 and tell me what exactly is wrong wit that? On 20 April 2010 16:08, Benny Pedersen wrote: > On tir 20 apr 2010 15:04:53 CEST, Nigel Frankcom wrote > >> If anyone has any ideas - please let me know? > > if your isp give you dul ip, then you must use isp smtp servers as relay > > not a fault of sorbs some isp is badly informing users on howto > > if you really want to use you ip as server make sure it relly is allowed > from your isp, the report from sorbs says me its not a static ip > > ps: if you need to have mail sent from home server make it use smtp auth to > gmail, and the problem is totaly gone, if that is not possible change isp ! > > -- > xpoint http://www.unicom.com/pw/reply-to-harmful.html > >
Re: SORBS
On 20 April 2010 14:13, corpus.defero wrote: > On Tue, 2010-04-20 at 14:04 +0100, Nigel Frankcom wrote: >> Hi All, >> >> Am I the only one incabale of figuring out the SORBS interface? >> >> I'm told by various mailserver that sorbs is blocking me (including >> this list hence mailing from my gmail account). >> >> When I log on to sorbs, give my details I get a nice email back saying: >> >> $Id: Act.pm,v 1.16 2006/11/27 03:36:09 lem Exp $ >> >> I'm a robot writing you on behalf of the SORBS' admins. The reason >> you're getting this automated response, is our desire to provide you >> with consistent and fast responses. I'm prepared to correctly analyze >> most of the cases appearing in the DUHL queue. >> >> You might want to keep your responses as short as possible (and to >> trim my own responses) to help humans better serve you should the need >> arise. >> >> >> >> I'm glad to report that the IP space will be submitted for delisting >> from the DUHL. >> >> Best regards. >> >> SORBS >> >> It's now Day 6. and I'm still listed. >> >> If anyone has any ideas - please let me know? >> >> Kind regards >> >> Nigel > > Since when did the Spamassassin list become a place for people to bitch > about SORBS ;-) > > The link is clear enough - get delisted/support here it is in case you > can't see it amoungst all that clutter: > > http://www.au.sorbs.net/cgi-bin/support > > > 217.36.54.209 listed in the Dynamic IP Space (LAN, Cable, DSL & Dial Ups) Following your erudite link... that has been followed at least 4 times before I get: $Id: Act.pm,v 1.16 2006/11/27 03:36:09 lem Exp $ I'm a robot writing you on behalf of the SORBS' admins. The reason you're getting this automated response, is our desire to provide you with consistent and fast responses. I'm prepared to correctly analyze most of the cases appearing in the DUHL queue. You might want to keep your responses as short as possible (and to trim my own responses) to help humans better serve you should the need arise. I'm glad to report that the IP space will be submitted for delisting from the DUHL. ...And I'm STILL in the damned list SORBS seems to have an issue, SORBS scores are used in SA - ergo it is relevant to this list. Again, please, can someone offer a sensible suggestion as to how I might resolve this problem. Or, a means of not disrupting SA lists, and suggesting where I may find help relating to my particular issue. Nigel
SORBS
Hi All, Am I the only one incabale of figuring out the SORBS interface? I'm told by various mailserver that sorbs is blocking me (including this list hence mailing from my gmail account). When I log on to sorbs, give my details I get a nice email back saying: $Id: Act.pm,v 1.16 2006/11/27 03:36:09 lem Exp $ I'm a robot writing you on behalf of the SORBS' admins. The reason you're getting this automated response, is our desire to provide you with consistent and fast responses. I'm prepared to correctly analyze most of the cases appearing in the DUHL queue. You might want to keep your responses as short as possible (and to trim my own responses) to help humans better serve you should the need arise. I'm glad to report that the IP space will be submitted for delisting from the DUHL. Best regards. SORBS It's now Day 6. and I'm still listed. If anyone has any ideas - please let me know? Kind regards Nigel
Re: Any known issues with Razor2?
On Tue, 23 Mar 2010 09:12:16 +, Nigel Frankcom wrote: >Hi All, > >Apologies if this has already been asked. A hunt through Google didn't >help much nor did any digging around the SA site. That's not to say >it's not there, just that I can't find it :-/ > >I have Razor2 installed via CPAN, though without a version number. > >When I try and install the new SA I get: >Error: Missing Dependency: perl(Razor2) >= 2.61 is needed by package >spamassassin > >Is this stupidity on my part or, is there a simple work round, or is >there an updated version of Razor2? > >All help gratefully received. > >Kind regards > >Nigel Never mind, it appears to have fixed itself not sure how or why, now I have another mystery.
Any known issues with Razor2?
Hi All, Apologies if this has already been asked. A hunt through Google didn't help much nor did any digging around the SA site. That's not to say it's not there, just that I can't find it :-/ I have Razor2 installed via CPAN, though without a version number. When I try and install the new SA I get: Error: Missing Dependency: perl(Razor2) >= 2.61 is needed by package spamassassin Is this stupidity on my part or, is there a simple work round, or is there an updated version of Razor2? All help gratefully received. Kind regards Nigel
Re: Bayes help
On Sun, 14 Mar 2010 12:20:14 -0400, Alex wrote: >Hi, > >> Do you have Autolearn On? > >Yes. Here is the bayes config from my local.cf: > >use_bayes 1 >bayes_auto_learn 1 >bayes_auto_learn_threshold_nonspam -0.9 >bayes_auto_learn_threshold_spam 16.0 >bayes_expiry_max_db_size 100 > >Thanks, >Alex Based on a good few years use I've not found autolearn to be that helpful. Manual input seems to be a much better idea alongside the rulesets you use and keeping a close eye on what gets marked as spam. Note. After you unlearn stuff in one category it is useful to relearn it in the other - so spam - ham and ham - spam. Just observations, not suggestions; except that they have worked for me. KR Nigel
Re: Bayes help
On Sun, 14 Mar 2010 12:08:17 -0400, Alex wrote: >Hi, > >I'm concerned that my bayes database may contain incorrect >information. I performed a search on all of the messages in the >quarantine, and pulled out the ones that contained BAYES_00 in their >score. There weren't all that many of them, but enough that I want to >investigate further. Simply deleting the database and starting over >isn't really the best option. > >Is it possible to "unlearn" the tokens in these messages from the >database, and then re-learn them as spam messages? > >How should this really be handled? > >Thanks, >Alex Watch for line breaks, your answer should be amongst this lot. http://www.google.co.uk/search?hl=en&safe=off&client=firefox-a&hs=sdB&rls=org.mozilla%3Aen-GB%3Aofficial&q=spamassassin+unlearn&meta=&aq=f&aqi=&aql=&oq=
Re: Bayes help
On Sun, 14 Mar 2010 12:08:17 -0400, Alex wrote: >Hi, > >I'm concerned that my bayes database may contain incorrect >information. I performed a search on all of the messages in the >quarantine, and pulled out the ones that contained BAYES_00 in their >score. There weren't all that many of them, but enough that I want to >investigate further. Simply deleting the database and starting over >isn't really the best option. > >Is it possible to "unlearn" the tokens in these messages from the >database, and then re-learn them as spam messages? > >How should this really be handled? > >Thanks, >Alex Do you have Autolearn On?
Re: Parallelizing Spam Assassin
OK - I can see what metrics you are trying to ascertain - I think. I'm not sure that your test and real life are 'right'. For obvious reasons I don't want to carry this one on via list - I would suggest you ask Justin and I will be happy to give info on my local setup (this assumes Justin can grab time away from toxic nappies/daipers) There is a lot you can do to ameliorate load. On bad days my quad does 50 a second so it's doable. I will freely admit I have no clue quite how this came to be, but it is (a case of having colleagues knowing more than I do - for which I am eternally grateful; the usual culprits know who they are) Kind regards Nigel On Fri, 31 Jul 2009 11:41:14 -0700 (PDT), poifgh wrote: > >In my tests - there was not MTA. The mails/spam were collected from some >server in mbox format and fed to SA using --mbox switch. The size of msgs >was not altered in any fashion - just the usual size of incoming spam/mails > >There are no AV [you mean Anti Virus right?] running on the machine > >Would be back with results > >-- > > > > >Nigel Frankcom-2 wrote: >> >> I'm assuming you run a tad more messages than I, but on a quad with a >> failover I have never seen the failover kick in 4 years. This is not >> disputing your observations, just noting mine. >> >> I claim absolutely no knowledge about the core processing/stacking >> though I would assume (perhaps incorrectly) that the parsing would be >> part of the software (MTA). >> >> I freely admit I only picked up what seems the tail end of this thread >> but having used SA for so many years I think I have at least a handle >> on how it plays (hence the failover). My failover SA is in place to >> handle slow queries from the primary SA. Assuming (again) that mail >> size has been factored and any AV is running remotely? >> >> Just a few thoughts based on a very cursory read of a few posts, sadly >> - or happily, work make my contributions here limited. >> >> I'd be interested in the results of this though. >> >> Kind regards >> >> Nigel >> >> PS - apologies if I'm repeating prior observations. >> >> On Fri, 31 Jul 2009 10:41:47 -0700 (PDT), poifgh >> wrote: >> >>> >>> >>> >>>Henrik K wrote: >>>> >>>> Yeah, given that my 4x3Ghz box masscheck peaks at 22 msgs/sec, without >>>> Net/AWL/Bayes. But that's the 3.3 SVN ruleset.. wonder what version was >>>> used >>>> and any nondefault rules/settings? Certainly sounds strange that 1 core >>>> could top out the same. Anyone else have figures? Maybe I've borked >>>> something myself.. >>>> >>> >>>The problem is not with 22 being a low number, but when we have other free >>>cores to run different SA parallely why doesnt the throughput scale >linearly >>>.. I expect for 8 cores with 8 SA running simultaneously the number to be >>>150+ msgs/sec but it is 1/3rd at 50 msgs/sec >> >>
Re: Parallelizing Spam Assassin
I'm assuming you run a tad more messages than I, but on a quad with a failover I have never seen the failover kick in 4 years. This is not disputing your observations, just noting mine. I claim absolutely no knowledge about the core processing/stacking though I would assume (perhaps incorrectly) that the parsing would be part of the software (MTA). I freely admit I only picked up what seems the tail end of this thread but having used SA for so many years I think I have at least a handle on how it plays (hence the failover). My failover SA is in place to handle slow queries from the primary SA. Assuming (again) that mail size has been factored and any AV is running remotely? Just a few thoughts based on a very cursory read of a few posts, sadly - or happily, work make my contributions here limited. I'd be interested in the results of this though. Kind regards Nigel PS - apologies if I'm repeating prior observations. On Fri, 31 Jul 2009 10:41:47 -0700 (PDT), poifgh wrote: > > > >Henrik K wrote: >> >> Yeah, given that my 4x3Ghz box masscheck peaks at 22 msgs/sec, without >> Net/AWL/Bayes. But that's the 3.3 SVN ruleset.. wonder what version was >> used >> and any nondefault rules/settings? Certainly sounds strange that 1 core >> could top out the same. Anyone else have figures? Maybe I've borked >> something myself.. >> > >The problem is not with 22 being a low number, but when we have other free >cores to run different SA parallely why doesnt the throughput scale linearly >.. I expect for 8 cores with 8 SA running simultaneously the number to be >150+ msgs/sec but it is 1/3rd at 50 msgs/sec
Re: sa-update error
On Mon, 8 Jun 2009 03:30:59 -0700 (PDT), snowweb wrote: > >I've just heard about sa-update and tried to run it. I was thinking of >setting up a cron to do it daily, however, I got the following error message >when I ran it manually: > >[r...@s1 spamassassin]# sa-update && service spamassassin restart >Can't locate Archive/Tar.pm in @INC (@INC contains: >/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/per >l5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi >/usr/lib/perl5/site_perl/5.8.6/i386-linux-thr >ead-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi >/usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_per >l/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl >/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-mult >i /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi >/usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /us >r/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi >/usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 > /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 >/usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386 >-linux-thread-multi /usr/lib/perl5/5.8.8) at /usr/bin/sa-update line 81. >BEGIN failed--compilation aborted at /usr/bin/sa-update line 81. > >Any ideas please? > >pete I think the Tar package is available via yum if you want an easy way to keep it current. If not Install it via CPAN. You may need to restart SA after, not sure. It may also be worth running "spamassassin --lint -D" to see if you are missing any other packages. HTH Nigel
Re: Custome rule problem. Resolved
On Thu, 19 Feb 2009 08:01:48 -0800 (PST), John Hardin
wrote:
>On Thu, 19 Feb 2009, Nigel Frankcom wrote:
>
>> Testing was done through spamassassin --lint and with debug. I used a
>> mail that *should* have hit the rules.
>
>--lint is not for testing rule performance, as it uses an
>internally-generated test message. It's just to check for syntax errors.
>
>As has been requested, can you post a complete sample message on pastebin
>for us to see?
Many thanks to all... I have the rule working. As usual it was a
syntactical error (typo).
For anyone else getting the live.com emails with google groups links
the following works:
# Live.com spam
#rev:
#Nigel Frankcom: 19/02/2009 12:56:07~ works with 3.0.x, 3.1.x,
3.2.x
# Tested on 3.0.4, 3.0.5, 3.1.0, 3.2.x
header __NFheader ALL =~ /live\.com/i
uri __NFuri m{^https?\://www\.google\.com/groups?}i
meta NFheader_Details (__NFheader && __NFuri)
describe NFheader_Details live dot com spam.
score NFheader_Details 7.0
My default is 5.0 but the AWL puts live with a positive score. I'm
noting stuff from yahoo as well so will adjust this to suit.
Feel free to mangle it, I'd appreciate a copy of any wider ranging
working versions though.
Kind regards and many thanks to all.
Nigel
Re: Custome rule problem.
On Thu, 19 Feb 2009 16:16:48 +0100, Karsten Bräckelmann wrote: >On Thu, 2009-02-19 at 14:50 +0000, Nigel Frankcom wrote: > >> Using --lint the rule come back clean but on testing it appears to be >> ignored. It's in the spamassassin directory. >> >> Am I missing something stupid? (Wouldn't be the 1st time) > >You're missing a lot of details. How do you test your rules? Try using >the -D debugging, to see if the sub-rules actually hit. No sample, so we >can't tell if your rules are correct. > > >> header __NFheader ALL =~ /live\.com/i >> score __NFheader 0.1 > >Meta-match sub-rules don't score. > >> uri __NFuri /www\.google\.com\/groups\// >> score __NFuri 0.1 >> meta NFheader_Details (__NFheader && __NFuri) >> describe NFheader_Details live dot com spam >> score NFheader_Details 5.0 Testing was done through spamassassin --lint and with debug. I used a mail that *should* have hit the rules. Tried it with and without scores for meta's... just in case. I'll post up a sample of a test mail once the current round of other network screw ups are resolved. TIA Nigel
Custome rule problem.
Hi All, I've written the following rule to deal with spam a particular set of users are getting hit by that very few of my rules are hitting. Using --lint the rule come back clean but on testing it appears to be ignored. It's in the spamassassin directory. Am I missing something stupid? (Wouldn't be the 1st time) header __NFheader ALL =~ /live\.com/i score __NFheader 0.1 uri __NFuri /www\.google\.com\/groups\// score __NFuri 0.1 meta NFheader_Details (__NFheader && __NFuri) describe NFheader_Details live dot com spam score NFheader_Details 5.0 Any help greatly received. Kind regards Nigel
Re: html experts: empty
On Thu, 29 Jan 2009 18:00:47 -0800, Kelson wrote: >On the subject of vs