Re: Spam not stopped???
Is it just me, a little scatterbrained here, but doesn't that log show it was identified as spam? Sent from my iPad On Jun 15, 2011, at 8:30 PM, User for SpamAssassin Mail List wrote: > > > Hello, > > I have something I cannot explain. We blacklisted an email address for a > client but Spam assassin still let it through. Here are the logs: > > > Jun 15 08:08:10 mail spamd[20901]: spamd: identified spam (104.0/6.0) for > client:2130 in 0.2 seconds, 1729 bytes. > > Jun 15 08:08:10 mail spamd[20901]: spamd: result: Y 103 - > BAYES_50,HTML_MESSAGE,MISSING_SUBJECT,SPF_PASS,TVD_SPAC > E_RATIO,USER_IN_BLACKLIST > scantime=0.2,size=1729,user=client,uid=2130,required_score=6.0,rhost=localhost,raddr=127. > 0.0.1,rport=55987,mid=,bayes=0.479706,autolearn=no > > Jun 15 08:08:10 mail sm-mta[21077]: p5FF86ld021067: to=, > delay=00:00:03, xdelay=00:00:02, mailer=local, pri=31672, dsn=2.0.0, stat=Sent > > As you can see the use is in the black list but yet the mail was delivered. I > checked other email that was over a score of "9" and the mail was rejected, > but for some reason or another this was not. > > Anyone have an idea why this making it through? > > Thanks, > > Ken
Re: USER_IN_WHITELIST problem
Ok I have an update. I picked a message that was getting marked
USER_IN_WHITELIST once every 5 or so messages. I took the from address
and added this code to Perl..Mail\SpamAssassin\EvalTests.pm
if ($addr =~ qr/$regexp/i) {
dbg("rules: address $addr matches whitelist or blacklist regexp:
$regexp");
> if ("$addr" eq "[EMAIL PROTECTED]") {
>info("PARADOX: rules: address $addr matches whitelist or
blacklist regexp: $regexp");
>foreach my $reg (values %{$list}) {
> info("PARADOX: $reg");
>}
}
I then ran my loop and watched the log. After a few tries it hit.
Guess the cool part. It printed out hundreds and hundreds of lines of
blacklist/whitelist settings. I use a domain/username file based pref
system, no sql, nothing broken there.
The hundreds of lines were not 'all' my wl/bl's. After some more
debugging I am petty confident that I am seeing the list of all wl/bl's
loaded in memory for any message being scanned at that moment. On this
particularly box probably around 25 or so.
Pretty cool huh?
How is this possible? How did it just start happening out of nowhere?
Ryan Pavely
Director Research And Development
Net Access Corporation
http://www.nac.net/ http://www.15minuteservers.com/
Re: USER_IN_WHITELIST problem
100% Similar Quality, from $ 199 Each Show Off to your colleague that you can afford a ROLEX as well == Message 2 === Scanned ok X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd3.oct X-Spam-Level: X-Spam-PrefsFile: nac.net/paradox X-Spam-Status: Yes, score=20.9 required=5.0 tests=HTML_10_20=0.945, HTML_MESSAGE=0.001,RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5,RAZOR2_CHECK=0.5,SARE_GIF_ATTACH=0.75, SARE_STOCK_MSG_ID2=2.22,TW_RQ=0.077,URIBL_AB_SURBL=3.306, URIBL_JP_SURBL=3.36,URIBL_OB_SURBL=2.617,URIBL_SC_SURBL=3.6, URIBL_WS_SURBL=1.533 autolearn=disabled version=3.1.7 === Scanned, hit whitelist X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd3.oct X-Spam-Level: X-Spam-PrefsFile: nac.net/paradox X-Spam-Status: No, score=-79.1 required=5.0 tests=HTML_10_20=0.945, HTML_MESSAGE=0.001,RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5,RAZOR2_CHECK=0.5,SARE_GIF_ATTACH=0.75, SARE_STOCK_MSG_ID2=2.22,TW_RQ=0.077,URIBL_AB_SURBL=3.306, URIBL_JP_SURBL=3.36,URIBL_OB_SURBL=2.617,URIBL_SC_SURBL=3.6, URIBL_WS_SURBL=1.533,USER_IN_WHITELIST=-100 autolearn=disabled === Origional Message Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 93280 invoked by uid 0); 23 Jan 2007 10:24:15 - Received: from 89.228.238.70 by mx7.oct.nac.net (envelope-from <[EMAIL PROTECTED]>, uid 0) with qmail-scanner-1. 25 (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0. Clear:RC:0(89.228.238.70):. Processed in 29.545472 secs); 23 Jan 2007 10:24:15 - Received: from unknown (HELO xp-7211e87ff35b) (89.228.238.70) by rbl-mx.nac.net with SMTP; 23 Jan 2007 10:23:45 - Return-Path: <[EMAIL PROTECTED]> Received: from 86.109.98.134 (HELO mail.cdmon.net) by nac.net with esmtp ([EMAIL PROTECTED]'9/70 H4*9) id 0:'+F,-8Q/7E5-05 for [EMAIL PROTECTED]; Tue, 23 Jan 2007 10:23:43 -0060 Date: Tue, 23 Jan 2007 10:23:43 -0060 From: "Darnell Ball" <[EMAIL PROTECTED]> X-Mailer: The Bat! (v2.00.2) Business X-Priority: 3 (Normal) Message-ID: <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Hey dude top brands available MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--A6EB829A6780C93" A6EB829A6780C93 Content-Type: multipart/alternative; boundary="--E4BFDADADAD329AD" ----E4BFDADADAD329AD Content-Type: text/plain; charset=windows-1250 Content-Transfer-Encoding: quoted-printable Can u believe that we will make you happy? image> Ryan Pavely Director Research And Development Net Access Corporation http://www.nac.net/ http://www.15minuteservers.com/ Drew Burchett wrote: Do you have some example headers? This is a legitimate email, but it got flagged as USER_IN_WHITELIST while CNN is not listed in my whitelist: Received: from cnnimail33.turner.com (cnnimail33.turner.com [64.236.25.90]) by spamfilter.onlineky.net (Postfix) with ESMTP id 2FB331757E for <[EMAIL PROTECTED]>; Fri, 12 Jan 2007 09:36:50 -0600 (CST) Received: from mail.cnn.com (10.165.130.21) by cnnimail33.turner.com with ESMTP; 12 Jan 2007 10:36:49 -0500 Message-Id: <[EMAIL PROTECTED]> From: CNNMoney.com Alerts <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Russia's Lukoil pumps $2.4B in profits MIME-Version: 1.0 Content-Type: TEXT/HTML; charset=US-ASCII Date: Fri, 12 Jan 2007 09:36:50 -0600 (CST) This one is most likely spam as this email account has been inactive for at least 6 months: Received: from tigger.babycenter.com (tigger.babycenter.com [10.128.130.152]) by cosby.mailsender.com (8.13.8/8.13.8) with ESMTP id l0D5hne7011671 for <[EMAIL PROTECTED]>; Fri, 12 Jan 2007 21:44:03 -0800 (PST) Message-ID: <[EMAIL PROTECTED]> Date: Fri, 12 Jan 2007 21:43:49 -0800 (PST) From: BabyCenter Store <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: This weekend only. $50 off on top of sale prices. Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable Another one to that same user: Received: from MYWX-S8.myweather.net (cliff.myweather.net [64.73.35.115]) by spamfilter.onlineky.net (Postfix) with ESMTP id 8ED2119631 for <[EMAIL PROTECTED]>; Sat, 13 Jan 2007 02:31:14 -0600 (CST) Received: by MYWX-S8.myweather.net (PowerMTA(TM) v2.0r13) id hl2cd6046443; Sat, 13 Jan 2007 02:31:01 -0600 (envelope-from <[EMAIL PROTECTED]>) Date: Sat, 13 Jan 2007 02:31:01 -0600 Subject: Your Personal Predictor x-envid: 1168677003.1103304562 To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Content-type: text/html; charset="ISO-8859-1" Message-Id: <[EMAIL PROTECTED]> This one got flagged as spam for several
SA 3.X seconds tracking
I was wondering if there is any work in SA 3.0+ to track/report the seconds of each part of scanning a message.. If I have a spike from 4.0 seconds to say 15 overall it's hard to track down why. Secondly is there any way to tell the master SA process to re-read /etc/mail/spamassassin/local.cf as to enable/disable a feature without killing off and restarting all processes. -- Ryan Pavely Director Research And Development Net Access Corporation
Re: Odd error when -x is used
Well your email did bring me to an interesting observation. I am using SpamC for SA 3.0, and had upgraded from SA 2.63 Notice the layout of my error message.. although ALL machines that run spamc (/usr/local/bin/spamc) are 3.0 somehow my error is displaying the SA 2.63 help message! That's pretty obvious now that you made me run spamc -h :) Ryan Pavely Director Research And Development Net Access Corporation Evan Platt wrote: At 08:55 AM 12/22/2004, you wrote: -H Randomize IP addresses for the looked-up hostname. My bad, sorry. Worth a try though. Sometimes you miss the obvious. :)
Re: Odd error when -x is used
-H Randomize IP addresses for the looked-up hostname. Ryan Pavely Director Research And Development Net Access Corporation Evan Platt wrote: At 08:32 AM 12/22/2004, you wrote: Since my upgrade to SA 3.0 I have a few more timeouts on occasion. Therefore I decided to test adding -x to my .qmail spamc line. eg. |/usr/local/bin/spamc -x -H -d spamd.nac.net -u [EMAIL PROTECTED] On occasion I get a message here and there that looks like this... Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Usage: spamc [options] < message -h: print this help message Unless I'm mistaken, you are telling it to display the help message... Evan
Odd error when -x is used
Since my upgrade to SA 3.0 I have a few more timeouts on occasion. Therefore I decided to test adding -x to my .qmail spamc line. eg. |/usr/local/bin/spamc -x -H -d spamd.nac.net -u [EMAIL PROTECTED] On occasion I get a message here and there that looks like this... Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Usage: spamc [options] < message -B: BSMTP mode - expect input to be a single SMTP-formatted message -c: check only - print score/threshold and exit code set to 0 if message is not spam, 1 if spam -r: report if spam - print report for spam messages -R: report - print report for all messages -y: symbols - print only the names of the tests hit -d host: specify host to connect to [default: localhost] -e command [args]: Command to output to instead of stdout. MUST BE THE LAST OPTION. -f: fallback safely - in case of comms error, dump original message unchanges instead of setting exitcode -h: print this help message -p port: specify port for connection [default: 783] -s size: specify max message size, any bigger and it will be returned w/out processing [default: 250k] -S: use SSL to talk to spamd -u username: specify the username for spamd to process this message under -x: don't fallback safely - in a comms error, exit with a TEMPFAIL error code -t: timeout in seconds to read from spamd. 0 disables. [default: 600] -- Ryan Pavely Director Research And Development Net Access Corporation
Re: spamd still burning CPU in 3.0.1
We have a nice e-mail setup with 5 inbound mx boxes (Qmail + QmailScanner + ClamD), 4 spamd boxes, 2 outbound smtp, 1 imap/pop server, and a pq (problem queue) box that mx can re-route mail to if there is a customer issue. Every box is a Dual CPU: Intel(R) Xeon(TM) CPU 2.40GHz (2399.33-MHz 686-class CPU) w/ 2-4 gigs of ram. Running FreeBSD 5.2.1 Our spamd boxes are running SA 2.63. We created a spamd-beta box running 3.0 for a few e-mail boxes and LOVE the upgrades. Spamd1 - 4 handle an average of 1.5 million messages per day, 810 per minute. Each box is configured to a max child of 128, and usually hover around 70% cpu idle, and 500 megs of ram free. However when we tested 3.0 on one of the live spamd boxes, even after throttling the max-child down to say 64, the cpu's are pegged, and around 500 megs into swap. Another interesting thing I noticed, when SA 2.63 is set to 128 children it only spawns them as needed. SA 3.0 likes to spawn the full number of children no matter what! Do I stay with 2.63 (which is behind the times these days and misses too much spam) Do I add more machines? Do I wait for some memory/cpu improvements in some future version of SA. Ryan Pavely Director Research And Development Net Access Corporation Jeff Koch wrote: We have two production mailservers running SA spamd. The first handles about 5,000 incoming emails per hour, does spam filtering with SA and virus filtering with qmailscanner and forwards the filtered mail to a server handling the pop accounts. We're using SA 2.64 with Bayes, AWL, Razor and about half of the RBL's. The machine is a 2.8Ghz P4 with 1.0GB RAM and SCSI hard drive. CPU usuage runs between 25-40% and system load runs 1.50 to 2.20 with isolated spikes to 7.0. The second machine is a 2Ghz Athlon with 1.0GB RAM and an IDE drive. It does spam and virus filtering with SA 2.64 and qmailscanner and also handles POP3 sessions with vpopmail. We use Bayes, AWL, Razor and the same RBL's. It handles approx 2,500 emails per hour (with peaks of 5K emails/hour) and approx 2,000 pop3 sessions per hour (peaks of 5K pops/hour). CPU usage runs about 20% with peaks to 50% and system load averages 0.80 with peaks of 16.0. We are pretty satisfied with the above setup. We tried moving one of the servers to SA 3.0 in order to use the new MySQL Bayes features but got absolutely killed on CPU usage and system load - that lasted about a day and we reverted to 2.64. We figure that we'd have to reduce the email load on each server by 50% in order to use SA 3.0 and thereby need twice as many servers. However, we're going to wait until the SA developers take the memory and load issues seriously and fix the problem. Maybe if enough users complain they'll do some high volume production test comparisons of 3.0 with previous versions and sort out the problem. At 09:33 PM 10/27/2004, email builder wrote: > email builder wrote: > >>email builder wrote: > >>How much email are you processing ? > > > > > > Well, just the other day we had an average of 48 msgs/min (max 255/min) > get > > run > > through SA. Can't say today yet because can't run our stats tools until > the > > busy hours are over cuz SA is hogging the CPU. ;) > > Hi, > > Your CPU is over loaded. At 48 a minute it should run just ok on a 2.8 > Ghz machine, much over that it's going to start having problems. On our > 2.4 Ghz (not HT) processor if I process over 35 a minute I start having > problems with load. I have two reactions to this: 1) I like the glimmer of hope and the idea that throwing hardware at the problem can solve it 2) Throwing hardware at problems is usually avoiding fixing the *real* problem. According to other posters on this list, my load is not excessive for a modern-day 2.xGHz machine. I will have to re-read some messages, but I believe responders to my posts on the "[OT] Email Servers" thread quoted similar machine specs and higher load than me and said they did not have load problems. I'd love to hear that I am mistaken and that it's just a matter of too little hardware, but I am skeptical... > I'd recommend upgrading to a dual server or perhaps putting in a second > server with round robin DNS (or if you can do it, a load balancer). We've been thinking about a multiple-machine email solution and have been wondering about architecture. Since SA seems to be the *only* email server module that causes us grief (even amavisd-new/clamav is nicer to our machine!!), and although it seems strange not to go with a separate file server or database server machine (or to otherwise split up SMTP and IMAP, etc), I am starting to think (as you suggest) that just adding a separate SA server is going to get us the biggest performance increase. What are people's opinions and expe
