Re: Re: Yum 3.0.5
Thanks Tim, I'm going to do a yum remove on SA and reinstall if required. At the time of the original post I didn't have a spare failover box for SA, that situation is now resolved. My concern stems from the fact that the original Yum updates done before 3.1.0 was installed didn't mention 3.0.5; that only showed up after. 3.1.0 is handling the requests so the 3.0.5 isn't doing any harm other than to offend my eye. I was hoping someone else had similar experiences and that a simple yum remove would work out OK since the 3.1.0 was installed from source. Ah well - we live and learn. Kind regards Nigel On Mon, 13 Mar 2006 17:28:20 +, Tim Jackson [EMAIL PROTECTED] wrote: Nigel Frankcom wrote: I installed 3.1.1 today on a fresh CentOS install and foolishly neglected to check it hadn't already installed an older version of SA. Now when I run yum update it lists 3.0.5 as an update. I've installed 3.1.1 from source and am wondering if using yum remove for the 3.0.5 install will fubar anything else? It may possibly overwrite some files from 3.1.1 depending on where you installed them, although I'm not sure whether RPM will do a hash sanity check on the files before removing them. I'm not sure it does for non-config files. So you might find the yum remove kills your install and you have to reinstall 3.1.1. Much better is to actually install 3.1.1 as an RPM package (build your own based on the CentOS source RPM if nobody else has done one). Half-package managing a system (i.e. installing some things from source, whilst upgrading others with automated tools) rarely ends up as anything but confusing. e.g. if you want to install something from the OS base which *is* packaged but depends on SA, it won't work (failed deps) if you've installed SA from source, etc. If you haven't done it before, building your own RPMs is usually fairly easy especially if you have recent examples (e.g. the 3.0.5 CentOS one) to work from. Tim
Yum 3.0.5
Hi All, I installed 3.1.1 today on a fresh CentOS install and foolishly neglected to check it hadn't already installed an older version of SA. Now when I run yum update it lists 3.0.5 as an update. I've installed 3.1.1 from source and am wondering if using yum remove for the 3.0.5 install will fubar anything else? spamasaassin -V reports the correct version, 3.1.1, and it lint's fine, so I'm happy it's working, but I'd like try get rid of the 3.0.* install. Any suggestions would be greatly appreciated. As a corollary, I have 3.1.0 on another box (also CentOS), again installed from source, am I OK to overinstall or should I remove the old 3.1.0 1st? Kind regards Nigel
Re: Re: Spam Decrease?
Decrrese!? Since June my spam %age has gone from 64% to 70.5% of all mail. It's depressing. Nigel On Wed, 28 Sep 2005 22:05:57 +0100, Dean Baldwin [EMAIL PROTECTED] wrote: Not really. We are still getting around 140,000+ messages a day that are spam :-( Matthew Yette wrote: Has anyone who runs a mail gateway service noticed a sharp drop in emails since yesterday? I'm seeing about a 75% drop in total mail volume, and the % of spam is much less...perhaps some ISPs cracked down recently? Matt
Re: Re: OT - abuseat.org
My Sincere apologies to cbl - now it shows up here too - I've still removed it from my list for now - no slur's intended, but that seemed to be the root cause of my problem here. Until I can figure why it 550'd everything I'm probably wisest leaving it out. DNS is next on my check list. Thanks for the heads up on my error. Kind regards Nigel On Thu, 22 Sep 2005 17:58:05 -0400, Matt Kettler [EMAIL PROTECTED] wrote: Nigel Frankcom wrote: Hi All, This may be old news, but... anyone using abuseseat.org in their RBL's should probably remove it. I had it running here in my main server config (so not an SA issue) and it's been 550ing every incoming email. A quick check of the domain shows nothing there at all. Really? CBL seems to be working fine.. http://cbl.abuseat.org/ Web forms work for spammers: http://cbl.abuseat.org/lookup.cgi?ip=81.15.247.53.submit=Lookup IP Address 81.15.247.53 was found in the CBL. It was detected at 2005-09-21 11:00 GMT (+/- 30 minutes). DNS works for spammers: $host 53.247.15.81.cbl.abuseat.org 53.247.15.81.cbl.abuseat.org has address 127.0.0.2 Web forms work for non-spammers: http://cbl.abuseat.org/lookup.cgi?ip=208.39.141.94.submit=Lookup IP Address 208.39.141.94 was not found in the CBL. DNS works for non-spammers $ host 94.141.39.208.cbl.abuseat.org Host 94.141.39.208.cbl.abuseat.org not found: 3(NXDOMAIN)
Odd X Headers appearing in mail after SA headers.
Hi All,
I'm running SA 3.0.4 on FC3. Up to last Thursday (15th) the setup has
worked great. Since then I have been getting a series of pretty
obscene spam through. They are passing SA, though with the content I'm
surprised at this, some of it really could not be construed as
anything but obscene (and in many cases physically impossible).
The one thing I am seeing in these (and so far ONLY these) mails is a
series of X headers added after the SA ones...
*Please note - ( ) added to stop my local filters blocking list mails.
X(-)NAS(-)Language: English
X(-)NAS(-)Bayes: #0: 4.94174E-127; #1: 1
X(-)NAS(-)Classification: 0
X(-)NAS(-)MessageID: 3577
X(-)NAS(-)Validation: {B4D4C488-B469-4D5A-B2F0-095074B3D4B3}
The variables after the : change, but not the X headers.
I'm still trying to figure out how they get in AFTER the SA headers. I
have no other processes running that will add any headers after the SA
ones.
Any thoughts or suggestions would be appreciated.
Kind regards
Nigel
Re: Re: Odd X Headers appearing in mail after SA headers.
Apologies all.
I should have checked the raw archives 1st. Those X-NAS headers must
be added by the client. They don't appear in the raw archived
messages.
Thanks to Loren.
Kind regards
Nigel
On Mon, 19 Sep 2005 03:56:36 -0700, Loren Wilton
[EMAIL PROTECTED] wrote:
NAS = Norton Antivirus? Are you running OE on a windows box and have Norton
installed? It hooks into email by default to try to catch virui on both
send and receive.
Loren
X(-)NAS(-)Language: English
X(-)NAS(-)Bayes: #0: 4.94174E-127; #1: 1
X(-)NAS(-)Classification: 0
X(-)NAS(-)MessageID: 3577
X(-)NAS(-)Validation: {B4D4C488-B469-4D5A-B2F0-095074B3D4B3}
Re: SA round-robin in exim ~ BAYES
I've used local MySQL on several SA servers before now (without a cluster). It worked well. I used the same bayes database to 'seed' all of the servers so they at least started with the same data. I didn't notice any huge differences in scores and on the whole it worked well - if inelegantly. Nigel On Mon, 20 Jun 2005 15:13:32 +, Ronan [EMAIL PROTECTED] wrote: Further to my last post regarding the Mysql Backend to multiple Spamd servers. How much difference would there be if I ran the (in this case ) 2 servers on a round robin basis from exim. So over time they would both recieve a fair enough diverse amount of mail to make them practically identical in terms of accuracy for our domain... I dont really need both of them atm as one machine only ever hits .75~.8 load constanly at full throughput. Would the MySql option be a better future proof method as i coud just tag servers onto the 'cluster'. ronan
Re: Re: shared SQL DB
Hi All, It's 5 SA actually :-D - and I've not noted any problems that didn't come down to slight differences in config between SA servers, once standardised they run much the same. The single MySQL is working well, my only concern being that I still haven't managed to eliminate a potential single failure point (MySQL). My ideal would be to have a means of automatically selecting a slave or copy of the main MySQL in the event the Connector can't get a response from it (the master). It's all well and good having a manual option for master/slave but that implies that you're watching your servers 24/7 - oh that I had the time. One of the reasons for putting in so many SA boxes here was to allow for multiple failures. If anything, moving SA off the SQL box has sped things up. One caveat here, email is coming in from a Win32 mailserver (MTSProfessional) so email and SA are divorced from each other. HTH Nigel On Tue, 14 Jun 2005 13:20:03 -0400, JamesDR [EMAIL PROTECTED] wrote: Ronan McGlue wrote: Hi all, running 2 spamd servers and want to share the BAYES DB between them... so that one never gets too swayed and that both the servers are contantly synced etc... anybody currently running an SQL backend off multiple Spamd servers?? and if so care to part with some knowledge??? thanks We had (up until 2 months ago) 2 spamd servers hanging off one mysql server. It worked quite well. We could train on either of the spamd boxes (sa-learn not autolearn.) AWL also worked well. I know of someone who has 4 or so boxes hanging off of one mysql server. He doesn't report any significant load from SA (SQL wise) causing all around slowness. Maybe he'll chime in and add anything that I've missed.
Re: RE: Re: shared SQL DB
Yep - been after that for a while. To date I've found nothing within my capabilities that can do it; to be fair I've not seen anything bar MySQL server farms that will do it - and the memory requirements for that exclude it from realistic options. Which seems to leave the answer, as you suggest, in either SA itself or the connector. In our case it may be that changes can be made that allow the connector to specify which MySQL SA should use. One issue that arises from this approach is synching up the data. I'd expect that in an established corpus minor changes in the synch's would mean negligible changes in scores. If we ever get it working I may find out :-D Nigel On Tue, 14 Jun 2005 13:58:01 -0400, Matthew Yette [EMAIL PROTECTED] wrote: I would think this would just involve modifying the db connection functions inside the SA code to verify the primary connection is established, and if not , roll onto a second (backup) server. -- Matthew Yette Senior Engineer - NOC/Operations MA Polce Consulting, Inc. [EMAIL PROTECTED] 315-838-1644 (w) 315-356-0597 (f) AIM/Yahoo: MAPolceNOC MSN: [EMAIL PROTECTED] -Original Message- From: Nigel Frankcom [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 1:52 PM To: JamesDR Cc: users@spamassassin.apache.org Subject: Re: Re: shared SQL DB Hi All, It's 5 SA actually :-D - and I've not noted any problems that didn't come down to slight differences in config between SA servers, once standardised they run much the same. The single MySQL is working well, my only concern being that I still haven't managed to eliminate a potential single failure point (MySQL). My ideal would be to have a means of automatically selecting a slave or copy of the main MySQL in the event the Connector can't get a response from it (the master). It's all well and good having a manual option for master/slave but that implies that you're watching your servers 24/7 - oh that I had the time. One of the reasons for putting in so many SA boxes here was to allow for multiple failures. If anything, moving SA off the SQL box has sped things up. One caveat here, email is coming in from a Win32 mailserver (MTSProfessional) so email and SA are divorced from each other. HTH Nigel On Tue, 14 Jun 2005 13:20:03 -0400, JamesDR [EMAIL PROTECTED] wrote: Ronan McGlue wrote: Hi all, running 2 spamd servers and want to share the BAYES DB between them... so that one never gets too swayed and that both the servers are contantly synced etc... anybody currently running an SQL backend off multiple Spamd servers?? and if so care to part with some knowledge??? thanks We had (up until 2 months ago) 2 spamd servers hanging off one mysql server. It worked quite well. We could train on either of the spamd boxes (sa-learn not autolearn.) AWL also worked well. I know of someone who has 4 or so boxes hanging off of one mysql server. He doesn't report any significant load from SA (SQL wise) causing all around slowness. Maybe he'll chime in and add anything that I've missed.
Possibly useful Stats Script.
Hi, A colleague has written a script to supply some summary (and detail) statistics for SA. I've not been able to get anything of much Admin use from sa-stats.pl; during setup and conf (and day to day running) I'm interested in scantimes and mean averages. Craig Morrison has written a script for logwatch that shows message scan times and a mean average - plus a few other summary details. Craig's not subscribed here (yet), hence my posting this. http://www.2cah.com/lwspamd.html Kind regards Nigel
I like this one.... Particularly the BS from Yahoo.....
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=FU1UmmgKvRlCBEUg1CKomcMMxShgfcM6WKgaJSOKD9D0tUHOxKzy603V5zIMC3MtpLdfh9CN/aRG7HzHYI2nIPlWHYJyO8PxAAl3qroxRQY3KDINcs+qaZSygSnd/nXp+5Yk1fezlUnFxDtEdUcy5YEQ676bu/ksh4+xL8UWivM= ; Hmmm - that worked well then. Anyone else getting these or have I just annoyed someone? :-D Admittedly, annoying Yahoo may not necessarily be a bad thing Nigel Received: by mtspro.co.uk (MTSPro MTSAgent 1.60) ; Tue, 12 Apr 2005 13:24:42 +0100 for [EMAIL PROTECTED] Received: from yahoo.com (216.109.112.135, Peer IP=[216.155.196.189]) by mtspro.co.uk (MTSPro MTSSmtp 1.61); Tue, 12 Apr 2005 13:24:26 +0100 for [EMAIL PROTECTED] Received: (qmail 65470 invoked by uid 60001); 12 Apr 2005 12:24:10 - Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=FU1UmmgKvRlCBEUg1CKomcMMxShgfcM6WKgaJSOKD9D0tUHOxKzy603V5zIMC3MtpLdfh9CN/aRG7HzHYI2nIPlWHYJyO8PxAAl3qroxRQY3KDINcs+qaZSygSnd/nXp+5Yk1fezlUnFxDtEdUcy5YEQ676bu/ksh4+xL8UWivM= ; Message-ID: [EMAIL PROTECTED] Received: from [80.248.64.59] by web61210.mail.yahoo.com via HTTP; Tue, 12 Apr 2005 05:24:10 PDT Date: Tue, 12 Apr 2005 05:24:10 -0700 (PDT) From: collins oforma [EMAIL PROTECTED] Subject: REGUEST FOR YOUR URGENT CORPERATION; To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=0-2060016952-1113308650=:64127 X-Envelope-Sender: [EMAIL PROTECTED] X-Envelope-Receiver: [EMAIL PROTECTED] X-Spam-RBLReport: dns:yahoo.com.fulldom.rfc-ignorant.org [127.0.0.4] dns:59.64.248.80.bl.spamcop.net?type=TXT [Blocked - see http://www.spamcop.net/bl.shtml?80.248.64.59;] dns:yahoo.com [216.109.112.135, 66.94.234.13] X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on snakepit.blah X-Spam-Level: * X-Spam-Status: No, score=1.2 required=6.0 tests=BAYES_40,HTML_30_40, HTML_MESSAGE,RCVD_FAKE_HELO_DOTCOM,RCVD_IN_BL_SPAMCOP_NET, SUBJ_ALL_CAPS,UPPERCASE_75_100 autolearn=no version=3.0.2 X-Spam-Report: * 0.4 RCVD_FAKE_HELO_DOTCOM Received contains a faked HELO hostname * 0.7 SUBJ_ALL_CAPS Subject is all capitals * 0.0 HTML_30_40 BODY: Message is 30% to 40% HTML * -1.1 BAYES_40 BODY: Bayesian spam probability is 20 to 40% * [score: 0.2193] * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see http://www.spamcop.net/bl.shtml?80.248.64.59] * 0.0 UPPERCASE_75_100 message body is 75-100% uppercase REGUEST FOR YOUR URGENT CORPERATION; I AM MR UCHIE OFORMA, MANAGER CREDIT AND ACCOUNTS DEPARTMENT OF AFRICAN DEVELOPMENT BANK PLC.(ADB). I AM FORTY-FOUR 44 YEARS OLD. I GOT YOUR CONTACT ON THE NET DURING MY GUEST FOR A RELIABLE AND REPUTABLE PERSON TO HANDLE A VERY CONFIDENTIAL BUSINESS, WHICH INVOLVES THE PATICIPATION OF A GOOD FORIEGNER. SIR, A BRITISH BUSINESS WOMAN BY NAME MISS CECILIA TRICIA SHANTYLA, A DRUG BARON, WHO DEPOSITED TWO METTALIC TRUNK BOXES WORTHS (#. $.10, MILLIONS) WITH OUR BANK FOR A LONG TIME, AND I WERE RELIABLY INFORMED THAT MISS CECILIA TRICIA SHANTYLA HAS DIED SINCE 6TH OF JUNE 2000, AS A RESULT OF (HIV/AIDS). WHILE HER NEXT OF KIN HAS NOT CALLED OR SHOWED UP TILL DATE,EVEN HER FAMILY MEMBER OR RELATION, THE NATURE AND CONFIDENCIALITY OF THIS DEAL, IT IS ONLY MY COLEAGUES IN THE FOREIGN EXCHANGE DEPARTMENT, I AM HERE TO MAKE SURE THAT YOU KNOW ABOUT THIS SECRET. NOW HER CONCERNMENT THAT WAS DEPOSITED IN MY BANK IS WHAT WE WSNT TO TRANSFER INTO A FOREIGN ACCOUNT SINCE THE BENEFICIARY WAS A FORIEGNER AND NOW IS LATE, AND NONE OF HER FAMILY MEMBERS OR RELATIONS HAD SHOW UP FOR OVER FOUR YEARS TILL DATE. MY COLEAGUES AND I DONT HAVE A FOREIGN ACCOUNT, THIS IS IMPOSSIBLE FOR US TO ACQUIRE THIS MONEY BY OURSELVES, THIS IS WHY WE ARE CONNECTING YOU INTO THIS BUSINESS SO AS TO USE YOUR FOREIGN ACCOUNT, BECAUSE WE HAVE PERFECTED ALL THE NECESSARY ARRENGMENTS BEFORE YOUR CONTACT. IF YOU AGREE TO ASSIST US, WE WOULD AGREE TO SHARE THIS MONEY WITH YOU IN THE MUTUAL UNDERSTANDING OFYOU KEEP 20% WHILE ME AND MY COLEAGUES KEEP 70%AND 10% WILL BE KEEP-ASSIDE TO COMPERCENT FOR EXPENSES DURING THE TRANFER FEES: AS I AM ALMOST DUE FOR RETIREMENT: THEREAFTER I WILL VISIT YOUR COUNTRY FOR MUTUAL SHARING, YOU MUST HOWEVER NOTE, THAT THIS DEAL IS SUBJECT OF SECRET, TRUSTWORTHINESS, AND FASTER COMMUNICATIONS. YOURS FAITHFULLY MR UCHIE OFORMA - Yahoo! Messenger Show us what our next emoticon should look like. Join the fun. - Do you Yahoo!? Better first dates. More second dates. Yahoo! Personals - Yahoo! Mail Mobile Take Yahoo! Mail with you! Check
Re: Re: I like this one.... Particularly the BS from Yahoo.....
Admittedly not much, My biggest issue was yahoo sporting anti spam options in a spam mail. I probably shoulda thought a tad more about the post and a tad less about my beer :-D It struck me as amusing and a solid example of how the best plans can bite one in the ass :-D Apols if any annoyance caused :-D Nigel On Tue, 12 Apr 2005 16:53:50 -0400, Matt Kettler [EMAIL PROTECTED] wrote: Nigel Frankcom wrote: Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=FU1UmmgKvRlCBEUg1CKomcMMxShgfcM6WKgaJSOKD9D0tUHOxKzy603V5zIMC3MtpLdfh9CN/aRG7HzHYI2nIPlWHYJyO8PxAAl3qroxRQY3KDINcs+qaZSygSnd/nXp+5Yk1fezlUnFxDtEdUcy5YEQ676bu/ksh4+xL8UWivM= ; Hmmm - that worked well then. Anyone else getting these or have I just annoyed someone? :-D Admittedly, annoying Yahoo may not necessarily be a bad thing Nigel *snip* Erm... what's the point here.. I'm not following Looks to me like someone with a real yahoo account is spamming you with 419 scams from it The host that delivered the mail to you reverses as w2.rc.vip.dcn.yahoo.com What's yahoo, or anyone else, being annoyed have to do with it?
Re: Re: I like this one.... Particularly the BS from Yahoo.....
Point accepted, but - why do they market it as such? Nigel On Tue, 12 Apr 2005 17:45:01 -0400, Matt Kettler [EMAIL PROTECTED] wrote: Nigel Frankcom wrote: Admittedly not much, My biggest issue was yahoo sporting anti spam options in a spam mail. My biggest issue would be the assumption that domainkeys is an anti-spam option. It's not. Period. No matter what some people at slashdot might think, it is NOT an anti-spam technique. Domainkeys, like SPF, is an anti forgery technology. Nothing more. Anyone who tells you otherwise is overstating it's benefits or does not understand the technology. While anti-forgery techniques are slightly helpful to the anti-spam community in tracking down the actual source of a message, they do not in any way prevent someone from sending spam that is not forged. Really all this buys you is discouraging forgery by making it easy to detect. This has the side effect that when spam isn't forged, it's easier to get the originating accounts terminated. That's all it offers in terms of anti-spam efforts. It's not really much, but it's a lot better than looking at the RDNS names in the Received: headers to try to verify what domain a mail really came from.
Re: Re: Sudden spam volume decrease?
I do wonder if spam fell off at about 12.30 GMT - about the time BT
binned a few adsl's in error... of course
http://news.bbc.co.uk/1/hi/business/4175805.stm
On Fri, 14 Jan 2005 12:47:34 -0800, jdow [EMAIL PROTECTED] wrote:
From: John Wilcock [EMAIL PROTECTED]
Menno van Bennekom wrote:
Spam is about normal here, but the number of viruses catched is one
tenth
of the normal amount the last days. I double-checked amavisd/clamav but
everything is working normal, it must be the silence before the storm..
I've seen a slight decrease in spam (down about 10%) since Xmas but,
like you, hardly any viruses for the last few days. First the number of
Sober.J's tailed off at the weekend, and now there's just the occasional
solitary Bagle or Netsky.
Is this a coincidence, or should we be battening down the hatches...?
John.
Hm, this was a one day drop from 250 to 300 spams per day down to only
140 or so. I was astonished. Today looks like it might be back up to
normal, sigh.
{^_^}
OT - MySQL/SA/PTR records
Hi all, Just a quick note to say, I *finally* got my SA working faster by adding PTR records for the MySQL server. The speed difference is astounding, on FC3 the turnaround time on a test mail has gone from 1 minute plus down to 1 - 2 seconds. Standard mail is running so much faster that comparing it is unfair. Many, many thanks to James Rallo for supplying the fix. Happy New Year to all Nigel
SA headers suddenly stopped appearing in List mails.
Hi All, Did anything change in the SA lists since Sunday? Have had SA 3.0 running happily here since it came out (win32/cygwin) - from Sunday I started seeing mail from the list (and annoyingly some 419ers too) with no SA headers at all - a check of the logs for spamd shows it never even saw the emails. Since this started Sunday and, so far, I've made no changes to either mail or SA, I'm assuming the change must be elsewhere (I'm hoping to hell the change was at the list side and I just missed something) Any and all help gratefully received. Nigel.
