RE: SPF, ALL_TRUSTED Confusion was RE: Default SURBL scores low?
Title: Message Great, that worked well. Somehow I missed this option in the Config man page? I must have searched for TRUSTED instead of trusted. thanks for pointing it out! jae -Original Message-From: Andrew W. Donoho [mailto:[EMAIL PROTECTED] Sent: Friday, October 15, 2004 12:17 PMTo: SpamAssassin listSubject: Re: SPF, ALL_TRUSTED Confusion was RE: Default SURBL scores low?On Oct 15, 2004, at 12:05, Michael Barnes wrote: I have a spam which hits ALL_TRUSTED. I've attached the "spamassassin -DI've found that the ALL_TRUSTED hit too many spams as hams. I havn'tlooked at the rule to see what it is doing, but I put in my/etc/mail/spamassassin/local.cfALL_TRUSTED 0Folks,Rather than disabling the rule, why don't you give the information it needs to function? Put the following in your local.cf:## Tell SpamAssassin which networks are trustedtrusted_networks 192.168.1/24My trusted network is a single class C private network, 192.168.1/24. You network is probably different. All of the Trusted Network scores on spam went away after I set it up. BTW, it only took five minutes with Google to find the root cause out. Google is your friend.AndrewAndrew W. Donoho[EMAIL PROTECTED], PGP Key ID: 0x81D0F250+1 (512) 453-6652 (o), +1 (512) 750-7596 (m)
SPF, ALL_TRUSTED Confusion was RE: Default SURBL scores low?
om localhost by dbox.jline.com with SpamAssassin (version 3.0.0); Fri, 15 Oct 2004 09:05:10 -0700 From: "Risa Ignacia" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: *SPAM(13.7)* We Provide 96% Off Retail Priice For Softwares years Date: Fri, 01 Oct 2004 14:13:38 -0500 Message-Id: <[EMAIL PROTECTED]> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on dbox.jline.com X-Spam-Level: * X-Spam-Status: Yes, score=13.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_99, HTML_30_40,HTML_FONT_BIG,HTML_MESSAGE,HTML_NONELEMENT_00_10, HTML_SHOUTING3,MIME_BOUND_DD_DIGITS,MPART_ALT_DIFF,RCVD_IN_DSBL, RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL autolearn=spam version=3.0.0 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--=_416FF536.26643AE7" This is a multi-part message in MIME format. =_416FF536.26643AE7 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system "dbox.jline.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: committee concentrate seize scissors national every according away maam wrong parallel hat means favorite however share Your needed soffttwares at Rock Bottom prri ce! - What you bought previously was go to shop & buuyy a WIND0WS XP Pro that comes with a BOX & serial number & the manual cosst 299.00 [...] Content analysis details: (13.7 points, 5.0 required) pts rule name description -- -- 4.1 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary -0.0 ALL_TRUSTEDDid not pass through any untrusted hosts 0.0 HTML_30_40 BODY: Message is 30% to 40% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 HTML_FONT_BIG BODY: HTML tag for a big font size 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different 0.0 HTML_SHOUTING3 BODY: HTML has very strong "shouting" markup 0.0 HTML_NONELEMENT_00_10 BODY: 0% to 10% of HTML elements are non-standard 1.9 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [80.110.248.122 listed in dnsbl.sorbs.net] 3.8 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org [<http://dsbl.org/listing?80.110.248.122>] 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [80.110.248.122 listed in sbl-xbl.spamhaus.org] 0.1 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [80.110.248.122 listed in combined.njabl.org] -1.6 AWLAWL: From: address is in the auto white-list The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. =_416FF536.26643AE7 Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: attachment Content-Transfer-Encoding: 8bit Received: from chello080110248122.118.11.vie.surfer.at ([80.110.248.122]) by dbox.jline.com with smtp (Exim 4.34) id 1CDRsz-0001DQ-LQ for [EMAIL PROTECTED]; Fri, 01 Oct 2004 11:12:09 -0700 To: [EMAIL PROTECTED] From: "Risa Ignacia" <[EMAIL PROTECTED]> Reply-To: "Risa Ignacia" <[EMAIL PROTECTED]> Date: Fri, 01 Oct 2004 14:13:38 -0500 Subject: We Provide 96% Off Retail Priice For Softwares years Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.6488.4426 Content-Type: multipart/alternative; boundary="--4671406479602045" 4671406479602045 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit committee concentrate seize scissors national every according away maam wrong parallel hat means favorite however share 4671406479602045 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 8bit Your needed soffttwares at Rock Bottom prri ce! - What you bought previously was go to shop & buuyy a WIND0WS XP Pro that comes with a BOX & serial number & the manual cosst 299.00- What you will get from us is The full W1ND0WS XP Pro sofftwaree & serial number. It works exactly the same, but y
Default SURBL scores low?
I try not to second guess SA's default scores. I understand some work goes into creating those default scores. However, I noticed after upgrading that many spams that are tagged with SURBL checks are still scoring below threshold. Some reasons contributing to the lower score, as I see it are: -3.3 ALL_TRUSTED Most of these unmarked spams hit ALL_TRUSTED with a default score of -3.3. It almost completely discounts the SURBL score hits. 50_scores.cf:score URIBL_AB_SURBL 0 2.007 0 0.417 50_scores.cf:score URIBL_OB_SURBL 0 1.996 0 3.213 50_scores.cf:score URIBL_PH_SURBL 0 0.839 0 2.000 50_scores.cf:score URIBL_SC_SURBL 0 3.897 0 4.263 50_scores.cf:score URIBL_WS_SURBL 0 0.539 0 1.462 The default scores for SURBL hits seem low, especially when compared with what is recommended on www.surbl.org. Here is a sample log entry of a SURBL hit which is marked as clean: Oct 14 09:05:59 dgate spamd[8771]: clean message (1.0/5.0) for steve:1026 in 0.2 seconds, 7805 bytes. Oct 14 09:05:59 dgate spamd[8771]: result: . 1 - ALL_TRUSTED,DNS_FROM_AHBL_RHSBL,HTML_60_70,HTML_IMAGE_RATIO_04,HTML_LINK _PUSH_HERE,HTML_MESSAGE,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL scantime=0.2,size=7805,mid=<[EMAIL PROTECTED]>,autolearn=n o Have most people changed the default SURBL scores to something more meaningful, higher? It seems worthy of a higher score given the great reviews that SURBL has been getting? Thanks for the info. Jae
RE: Memory usage spikes ...
I've been calling this the Email Scud problem. I've been hoping for a patriot missle for a long time. I have noticed the same problem with v2.63 and v2.64. I upgraded to v3.0 hoping that the problem would go away but it's still there. It's happened to me about 3 times, where an email will be sent to my server that specifically causes the problem. Killing the spamd process causes the sending MTA to resend. It usually occurs with an email with a large MIME attachment. In the last occurrence, the attachment was around 20MB and was only a .TXT attachment. The sending MTA will resend its Scud missle and I'll see the 250MB spamd process using up all available CPU. Unfortunately, I didn't save the problem message and its attachment. Hopefully, that sheds a bit of light on this common problem. jae -Original Message- From: Morris Jones [mailto:[EMAIL PROTECTED] Sent: Saturday, October 02, 2004 11:44 AM To: users@spamassassin.apache.org Subject: Memory usage spikes ... Yesterday I commented that I was seeing spamd children eating a lot of memory, pushing the machine into swap. I've been keeping an eye on the spamd children this morning. Overnight, all five children were using around 4 meg. This morning sometime, one spamd child shot up to 250M: Mem: 513948K av, 504660K used,9288K free, 0K shrd, 15532K buff Swap: 1052216K av, 263780K used, 788436K free 68408K cached PID PPID USER SIZE STAT %CPU %MEM COMMAND 1537 15624 root 250M S 0.0 44.5 spamd child 25394 15624 root 40056 S 0.0 6.1 spamd child 1432 15624 root 38932 S 0.0 6.0 spamd child 1241 15624 root 38768 S 0.0 6.0 spamd child 1754 15624 root 39308 S 0.0 6.0 spamd child Yesterday afternoon when I killed and restarted spamd, they were all using about that much. Mojo -- Morris Jones <*> Monrovia, CA [EMAIL PROTECTED] http://www.whiteoaks.com
