Re: Spamassassin is useless
Jean-Paul Natola wrote:
My most recent discovery was SA hanging on huge attachments ( from
web-designers) , I'm currently TRYING to modify Exim to NOT send messages
over 500k to SA- as most spam is usually just a few k-
This is generally a good idea and can be easily accomplished in Exim.
Just add the following condition to your spam checking ACL.
condition = ${if {$message_size}{500k}{1}{0}}
Steven
Re: R: R: R: Relay Checker Plugin (code review please?)
On Oct 31, 2006, at 6:09 AM, John Rudd wrote: I've considered the exact opposite (adding static to the check for keywords). My rules are really looking more for is this a _client_ host, not is this a dynamic host. That one check looks for dynamic, but I'm not interested in exempting anyone because they're static. They've still got a hostname that looks like an end-client, and an end-client shouldn't be connecting to other people's mail servers. Any end-client that connects to someone else's email server should be treated like it's a spam/virus zombie I can't agree with this. Many small businesses in the US get just these kind of static connections from broadband ISPs. Comcast, for example, has all of their static customers using rDNS that would fail your tests, and they refuse to set up a custom PTR record or delegate the record to someone else. Most of these static customers are legitimate business networks running their own mail server, and have neither the need nor desire to relay their mail through Comcast's SMTP servers. I think your general idea is very good, but you're reaching a little too far with this one. Steven --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: FP for HELO_DYNAMIC_DHCP and HELO_DYNAMIC_IPADDR
On Oct 18, 2006, at 11:47 AM, Ugo Bellavance wrote: This should be fixed, as many Videotron clients purchase a static IP address to have their own mail server. This service also comes with all ports open (dynamic has port 25 blocked in/out), so they are almose telling their clients to deliver directly. What should I do, create a bug entry in bugzilla? Well, the proper thing to do would be to get your rDNS fixed. If they're offering static IP services to business customers, they should be offering rDNS as well. Have them change your rDNS record to match your A record. Steven --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: Delete spam or move to a folder?
Couldn't find a thread like this hence this new one. Just wondering what strategy people are using when it comes to dealing with email that gets enough points to be considered as spam. Eg. being deleted and quarantined, or delivered and quarantined etc. I'm using store and deliver - is that the general concept out there with everyone? At work we reject any mail tagged as spam (5 points +) during the SMTP session. This has the benefit of sending notification to the true sender rather than having my server try to delivery a NDR after the fact. I haven't had a report of a false positive from any of my users in the last year. Still get some false negatives (mostly 419'er stuff), but overall my users are happy. This set up obviously won't work for all organizations, but as a school we find our user base and email content to be rather homogenous. At home, since I'm using fetchmail, I sort all mail tagged as spam into a subfolder of each users Maildir. Steven --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: Automatically Updating Rules on Windows
On Mar 2, 2006, at 10:16 AM, mouss wrote: Jeremy a écrit : I use SpamAssassin on Windows with no Perl/CYGWIN environment do you mean you managed to run SA without perl? if so, how? No, he's running SA from MDaemon, which has some form of an internal SA engine, but uses the same basic configuration and rulesets via text files. Steven --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: Spamassassin + Exchange 2k3 + Antivirus Recommendations
Christopher Brower [EMAIL PROTECTED] 11/22/2005 12:03:40 am Can anyone recommend a good setup for running Sapmassassin and an open source antivirus solution on a SMTP gateway infront of an Exchange box? Also could you point me to some guides? It's been awhile since I setup spam assassin and last time I did I think it was version 2.0. Is it possible now to allow users to setup their own whitelists and spam filter levels through something like mysql? I prefer Exim, SA, and ClamAV doing SMTP-time rejection. However, this does not offer you any easy way to do per-user settings or whitelists. You might want to check out something like Maia Mailguard. Steven --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: What the hell is that?
On Aug 10, 2005, at 1:21 PM, Matt Kettler wrote: For example, try doing turkeybacon as a destination. Firefox will fail the lookup, do a web search (using google or whatever your default search engine is) and jump to the first hit: http://www.livejournal.com/userinfo.bml?user=turkeybacon Damn shame that's not a cooking blog. Turkey with bacon, damn good eats. Steven --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: spamd and exim
Herb Martin wrote:
40-50 a day (over 9 days) for low volume mail server. Another
server was primary MX until yesterday, and now I am picking off
much of the junk before it even gets to SpamD.
Ouch, that's a lot.
It was so prevalent when I first switch this Exim server to primary
that my thinking was that it was my mistake, then a problem with
having upgraded SpamD (I am running an aggressive pre-release),
then a problem that might be Cygwin specific, or finally network
related.
Hmm, you're running this under Cygwin? I wonder if the OP is, too...
I understand that -- but is the reset/failure to complete the
SpamD check also cached? That is, if stanza #1 spam check
gets reset without finishing, will the stana #2 use the
cached failure? (versus retry in stanza #2.)
I believe not -- based on my logs -- and I hope not. So with
5 spamd stanzas in the exim config, it seems to only 'miss'
once (maybe twice) per message before running the check...
A quick check of the source reveals that error conditions are not
cached, so that would explain the behavoir you're seeing in your logs.
For the devs, this is how Exim parses spamd's output. You guys see
anything odd about this?
if( sscanf(CS spamd_buffer,
SPAMD/%s 0 EX_OK\r\nContent-length: %*u\r\n\r\n%lf/%lf\r\n%n,
spamd_version,spamd_score,spamd_threshold,
spamd_report_offset) != 3 ) {
/* try to fall back to pre-2.50 spamd output */
if( sscanf(CS spamd_buffer,
SPAMD/%s 0 EX_OK\r\nSpam: %*s ; %lf / %lf\r\n\r\n%n,
spamd_version,spamd_score,spamd_threshold,
spamd_report_offset) != 3 ) {
log_write(0, LOG_MAIN|LOG_PANIC,
spam acl condition: cannot parse spamd output);
return DEFER;
};
};
- S
Re: spamd and exim
On Aug 3, 2005, at 9:52 PM, Herb Martin wrote: The message I am seeing in /var/log/exim_main.log is: spam acl condition: cannot parse spamd output H=(mailservername) [IP] F=address temporarily rejected after DATA I am seeing a LOT of these but have been watching for them in the Panic Log as they are more isolated there. I've never seen this error on my systems. Define a lot. I'm curious if this problem is widespread. Spam lookups (SpamAssassin) are supposedly cached and since I have a LOT of Spam check stanzas in my Config so I am pretty sure that every message gets checked, but sometimes the unimportant check MIGHT get skipped. They are cached. Exim will only interface with spamd once per message, regardless of how many spam stanzas you have in your ACL. I have 3 in mine. Best GUESS: It's a SpamD 'feature', but this is only an educated guess based on chasing it for only one full day. Feature? This error is a feature, or something else? I think I missed something... Steven --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: Removing entries from the auto-whitelist?
On Jul 18, 2005, at 9:08 AM, Dr Robert Young wrote: I have some entries in the auto-whitelist that are bogus and give strong negative scores. How would one remove them w/out doing a clean or re-creating the auto-whitelist from scratch? You've already asked this question and we've already answered it. Pay attention next time. man spamassassin Steven --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: HELP: Looking for mac mail server software
On Jul 16, 2005, at 7:18 PM, Evan Platt wrote: WOOPS, that shoulda gone to spam-l where my original post was, but I'm open to any suggestions. OS/X, 200 messages a day, private mail domain, just me, perhaps a list or two, must smtp-auth relay, easy to setup / use. Prefer GUI. OS X uses Postfix by default (at least it does on my Powerbook running Tiger). While it's not graphical per-sea, it's not difficult to set up. I'm sure someone out there has written a GUI for it. Check out VersionTracker. Steven --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: Blacklisting
On Jul 13, 2005, at 11:55 AM, Jean-Paul Natola wrote: I'm attempting to blacklist @freelotto.com Is this the correct way edit the local.cf file? RTFM. http://spamassassin.apache.org/full/3.0.x/dist/doc/ Mail_SpamAssassin_Conf.html Steven --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: How to shut down
On Jul 12, 2005, at 1:19 PM, Chris Santerre wrote: Thinking of you, Tom Cruise You owe me for the can of soda I just sprayed on my desk. Good times... -Original Message- From: Michael [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 12, 2005 12:48 PM To: users@spamassassin.apache.org Subject: How to shut down How to shut down the spamassassin? so it doesnt run ?? What operating system are you running SA on? How is it being called within your mail path? We can't help you if you don't help us. Steven --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: How to shut down
On Jul 12, 2005, at 2:47 PM, Jay Lee wrote: I think you meant Help me, help you! You had me at hello... Wait, what list is this again? :) Steven --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: rejectlog output
Jean-Paul Natola wrote: I'm trying mail myself the rejectlog but I would like only the headers or at least the from addresses so that I can check to see for fp's This sounds like an Exim question. SA doesn't have a reject log. You should check out the Exim docs. Short answer, take a look at eximstats for summarizing your logs. Steven
Re: Scoring - Display none
Jean-Paul Natola wrote: Note to sound t ignorant , but how can I add that rule because it seems that I don't have that installed. On that note how can I make sure all the SARE rules are updated. Download it from the SARE website and install it in /etc/spamassassin or /etc/mail/spamassassin; wherever your local.cf is. Then HUP spamd. Keep SARE rules up to date with RulesDuJour. PS - Please don't top-post. This isn't a Windows list. If you're running Outlook, check out Outlook-QuoteFix. http://jump.to/outlook-quotefix Steven
Re: rules_du_jour script and firewall ports?
On Jul 8, 2005, at 8:46 PM, Dr Robert Young wrote: Anyone have information on which ports would need to be opened for rules_du_jour to function? Just port 80. RulesDuJour downloads rules from an HTTP server using either curl or wget. Steven
Re: SA training
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jul 7, 2005, at 9:30 PM, Jean-Paul Natola wrote: Here's what I did, Installed Freebsd, then installed exim, then clamav and finally SA, All were done via passive ftp The default Exim configuration files do not do any SA scanning, so you must have modified them in some way. If you're unfamiliar with Exim it might be helpful to check out Tim Jackson's howto. It's a little out of date, but for the most part should work fine. http://www.timj.co.uk/linux/Exim-SpamAndVirusScanning.pdf Steven - --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCzfo25L54ch7cA1QRAgo0AJoChHV76Ec9n1i/VD6rKrdjj5QbmQCg0qtM 1OPN2u+yTdVV8wJn/zVFsB0= =PBol -END PGP SIGNATURE-
Re: SpamAssassin w/POP3 SMTP outsourced e-mail server...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jul 7, 2005, at 10:59 PM, Loren Wilton wrote: Procmail will act as the pop3 server Not quite. My belief (and Joanne set this up, so she has the actual details) is that Fetchmail is feeding procmail, possibly going through Sendmail to do this. Procmail has a 2-line recipe that calls SA as part of the delivery process for local deliery to an account on the Linux box. Fetchmail can deliver to procmail directly, or any MDA for that matter (I've heard of people using maildrop as well). I don't know if Clam can be integrated using Procmail or not. If it can be executed as a normal Unix stdin-stdout filter, I don't know why it wouldn't be possible to do it that way. So you should (I think!) be able to feed to clam, and then to SA (actually spamd), and have the resulting mail end up sitting in user mailboxes ready to be grabbed by the users using pop3. If you're interested in doing AV scanning in addition to spam scanning / tagging, then you're probably better off to have fetchmail deliver POP'ed mail to an MTA like Postfix or Exim, and have it do the spam / AV scanning. I use Exim exclusively, and have this exact set up running on my home server for friends and family. Works great. I don't recall if you said your users are windows-types or unixen, but I'm assuming they are windows users. If you want to enable Bayes with this setup you should be able to do it either per-user or site-wide fairly easily. There is a plethora of information on setting up some imap ham/spam drop boxes that users can easily get to from either OE or Outlook to use for training the Bayes database. Works like a charm here. Since he's lost the ability to do SMTP-time rejection, what with using fetchmail and all, I'd go with per-user bayes databases. Just make sure your users spend a little time training it up front. You might want to look at a web-based front-end to handle bayes training and per-user settings. Check the wiki for options. Steven - --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCzfwx5L54ch7cA1QRArNfAKDDVl69AoHZ36uXXyujx5NGkgazEwCeJMeG XuhV3RdBE6siuuxB0sd3F7Y= =qvJS -END PGP SIGNATURE-
Re: More spam since upgrading
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Jul 6, 2005, at 12:44 AM, jdow wrote:
OK OK - I made it 4.999 just for you. {^_-}
Thanks, I'll sleep better now knowing this... :-P
I was under the impression you made BAYES_99 worth 99 points. 5
points for bayes isn't terrible, provided you have a well trained
bayes database and the possibility for ham to trigger some negative
rules. My sites run BAYES_99 in the 4.5-ish range.
(That said, the rules for Bayes need bayesic reworking. There are two
modes in which it works, per user or global. In per user mode with
some
decent manual training it is quite good. In global with hundreds of
users and autolearn it is probably at best an 80% thing. Some
personal
for the per user with no autolearn is quite worthwhile.)
That's probably what makes me a little paranoid about bayes, we run
it site wide so I'm always worried the database will go south PDQ.
On my personal machine at home with per-user accounts, I've never
seen bayes score a FP.
Steven
- ---
Steven Dickenson [EMAIL PROTECTED]
http://www.mrchuckles.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFCy7Oa5L54ch7cA1QRApQfAKCNaYetO0QGinxerigEK8KjL2m5RQCffVfA
RKiUsgSe2inqkx07ZKcJsEs=
=WpJl
-END PGP SIGNATURE-
Re: SpamAssassin w/POP3 SMTP outsourced e-mail server...
On Jul 5, 2005, at 2:59 AM, Jesse Shumaker wrote: Here is my situation. Currently, our e-mail isn't managed within our organization. We have a third party ISP who is hosting the e- mail for us. We simply configure our Outlook clients to authenticate to their SMTP/POP servers. Is there a way that I could setup a SpamAssassin box at each of my sites to filter each Outlook clients' outgoing and incoming mail? You can set up a box running fetchmail to grab messages from your ISP's POP3 server, and then run them through SpamAssassin before delivering them to a mailbox on that box. Then, set your Outlook clients to use your local box as the POP3 / IMAP server. You'll loose the ability to reject mail based on SA scores, but you can throw the spam into a separate folder for each user. I do this for my home network and it works quite nicely. Steven --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: Upgrade woes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jul 5, 2005, at 7:28 AM, Thomas Kinghorn [MTNNS -Rosebank] wrote: Hi List. Since upgrading, more spam gets through. See X-Spam-Status: X-Spam-Status: No, score=-0.4 required=4.4 tests=BAYES_50,DCC_CHECK, HTML_00_10,HTML_MESSAGE,J_CHICKENPOX_33,J_CHICKENPOX_41,MILLION_USD, MISSING_HEADERS,NIGERIAN_BODY1,RISK_FREE,SUBJ_ALL_CAPS, autolearn=no version=3.0.4 Well, something certainly doesn't add up with those tests. Check your local.cf for any custom scores that may be overriding the stock rules. You might want to run the same message through spamassassin - D and check the full report output. Also, it might help to know what version you upgraded from. Steven - --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCyw635L54ch7cA1QRApuCAKCb4TLu9S2exxuREqpGHSAbjdRdyQCfXcoL DxP6kuHJKBS1vLJoR+Jubi0= =QRuC -END PGP SIGNATURE-
Re: Forged outlook headers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jul 5, 2005, at 10:43 AM, [EMAIL PROTECTED] wrote: We have users who's mail is sent through a proxy server before it gets filtered through SpamAssassin. The proxy server rewrites the header of the message and then sends it on. When our SpamAssassin server filters the message it reads it as a forged outlook header and assigns it 3 points. Put this in your local.cf. score FORGED_MUA_OUTLOOK 0 Steven - --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCyxBX5L54ch7cA1QRAuv5AKCCKN4zu5FzQd4Ysrk7OSNIhIJyvQCfUCYK gYw2z9AH1VsdruOzCU4g1ag= =drHs -END PGP SIGNATURE-
Re: no X Spam Status
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jul 3, 2005, at 3:11 AM, liyas_m m wrote: i m running on Mac..it is supposed to be easy. That's the funniest thing I've seen all week... Steven - --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCyBh95L54ch7cA1QRAl93AJ4tfWU7fv9EfaRYi59l98lPnfPvMQCgxL3f EOsETQTUYXwq08lZYHWaM0A= =5cA5 -END PGP SIGNATURE-
Re: Spamassassin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jun 30, 2005, at 9:20 AM, Michael wrote: I have the option use_auto_whitelist 1 in my local.cf and autolearn still doesn't work. Anyone know what should i do ?? That option enables the automatic whitelist, which is not the same thing as Bayes autolearning. You want the option bayes_auto_learn 1 You'll also want to tweak the auto_learn scores, as many feel the non- spam threshold is too high. I've set mine to -0.1. Steven - - --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCw/kg5L54ch7cA1QRAssDAKCwfzsrGb/I7swxQTYSrQF7QihF8ACffy1q nm57zJ/AmlKt22/79nxBVYw= =9bkv - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCw/mY5L54ch7cA1QRApobAJsHdtjmlh8y2sZM26PGgzVdEy341gCePC80 8WlR9ojMEHg5jReyciSLbDQ= =1th+ -END PGP SIGNATURE-
Re: merges bayes DB???
On Jun 23, 2005, at 12:24 PM, Michael Parker wrote: Is there a way to merger 2 (or more)bayes DBs? Short answer, No. Long answer, search the users list. Show my complete ignorance on this subject, but wouldn't a dump and load work, at least technically speaking? Possibly followed by a sync and/or expire? Steven --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: Exchange/Outlook - how do you learn spam?
Matt Yackley wrote: 1. Email that has only been stored in user mailbox and then pulled from a mailbox via IMAP/POP3 will retain the full headers of the email. What happens if a user moves the mail item to another folder in their mailbox, and is then extracted via imap? MS is trying to come up with a work-around for the problem, also in his spare time our developer at work is looking to see if he can come up with a work-around. If I find a better way to pull messages out of Exchange, I'll let everyone know. I wouldn't hold my breath for MS to solve this. Any word on your spam report button add-in for Outlook? - S
Re: auto-whitelist is making spams sneak through
On Jun 22, 2005, at 9:36 PM, Mike Pepe wrote: In analyzing the ones that make it through, I see that other users in my domain are CC, which causes the auto-whitelist to score the spam lower than if I run it through manually without that test. I'm sure others may chime in to say that auto-whitelist is just doing it's job. However, it's for reasons such as this that I always disable auto-whitelist. It usually proves to be a source of much confusion and FP/FN mail for me. YMMV. I've just set auto-whitelist to 0 in my .spamassassin/user_prefs.cf which I hope will stop that from happening, but in the meantime is there some way to manipulate or even reset my whitelist database? You can reset the auto-whitelist by deleting it. rm ~/.spamassassin/auto-whitelist* - S --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: Can't write into world-writable directories?
Peter Guhl wrote: Sendmail, Spamass-Milter. After installing spamass-milter it is set to run as root but it has a security fallback; it doesn't use root all the time. Maybe that's causing this behaviour that it writes into /root/.spamassassin but using the user spamd. Likely so. I would set the bayes path explicitly in local.cf (bayes_path option) to a certain location, and ensure that this fallback account that Spamass-Milter is using has write privledges there. I'm not familir with Sendmail or it's milters, so this is all I can offer. - S
Re: Fw: SpamAssassin assistance
Jim Schueler wrote: My users have been getting particularly insidious emails containing a windows virus that purports to come from the system administrator. [snip] I would expect this test would be part of the distributed SpamAssassin configuration files. Can anybody recommend an approach other than reinventing the wheel? I'm fairly certain SA has some stock rules that deal with HELO forgery, but since I'm not totally familier with them, I'll let others speak to that. What I can suggest is that you put an AV scanner in your mail path. I'm partial to calling ClamAV from Exim, where I can do SMTP-time rejects of viruses. Depending on your MTA, you may also be able to do some of these HELO checks during the SMTP session. FWIW, I've seen many legitimate sites present incorrect or even invalid HELO data. Particularly Windows sites behind NAT boxes, or small sites using low-cost broadband where setting up rDNS is impossible. - S
Re: Spamassassin 3.0.3 and no scan for a domain ?
Matt Kettler wrote: qmail-scanner may have many positive attributes, but flexible control of scanning is not one of them. I don't think it's so much their problem, as it is a general limitation of SMTP-time rejection. Since a single message could be intended for multiple recipients (and thus multiple domains), you can't really do any type of per-user (and by extension, per-domain) settings during the SMTP session. Once you've hit the DATA phase, a reject is all or nothing. Any type of SMTP-time SA scan is going to have similiar limitations (Exiscan-ACL, SA-Exim, Amavisd-new and Postfix in certain configurations). - S
Re: SA and Exchange 5.5
Ben O'Hara wrote: Anyways, Ive installed SpamAssassin and ClamAV on a dedicated *nix box with exim which works great for filtering the mail...however, id rather deliver ALL mail onto exchange and have spam messages moved into a SPAM Folder within the users Private Information Store. You can do this with 2000 and 2003 automatically with this tool. http://www.ivasoft.biz/spammover.shtml Otherwise, you'll need to write up a howto for users, and have them create the folder and Outlook rule themselves. However, once the rule is set up in Outlook, it will fire automatically on the Exchange server, even if your users access their mail through some other interface (OWA, IMAP, etc). If you have the resources, I would recommend making the move to Exchange 2003 sooner rather than later. It is a huge improvement over 5.5 in almost every way, and is far more secure and standards compliant to boot. If you're more concerned about quarantine and per-user settings than SMTP-time rejection, take a look at Maia Mailguard. It works with amavisd and Postfix to implement a very sophisticated spam/virus quarantine and per-user settings which are all easily managed by the user through a web interface. False positives can easily be reinjected back into Postfix for delivery to your Exchange server. http://www.renaissoft.com/projects/maia/ Exim+Exiscan is a great setup, which I run at work and home, but its real strength is in SMTP-time rejection. Since you don't seem to need or want that, other products may provide better flexibility. - S
Re: Advice for a weekend spam assassin?
James Bucanek wrote: Greetings, As you can see, the Bayes filter has nailed it as spam, but it still only gets a score of 3.6. Bayes scores are really quite low in SA v3 - 3.0.2. You may want to upgrade to 3.0.3 to get the newer Bayes scores, or revert to the v2.6x scores in your local.cf. We've done the later here with no ill effect, by putting the following block in our local.cf. score BAYES_00 0 0 -1.665 -2.599 score BAYES_05 0 0 -0.925 -0.413 score BAYES_20 0 0 -0.730 -1.951 score BAYES_40 0 0 -0.276 -1.096 score BAYES_50 0 0 1.567 0.001 score BAYES_60 0 0 3.515 1.372 score BAYES_80 0 0 3.608 2.087 score BAYES_95 0 0 3.514 3.063 score BAYES_99 0 0 4.070 4.886 I currently have my threshold set to 7.0. I've been considering lowering it again (maybe to 5.0), but am paranoid about false positives. I can go through my mailbox and see ham that has scores of 3 or even 4. I only tag my personal/family accounts, so FP's, while annoying, are only a folder away (I tag at 4, everyone else at 5). However, I've only had 2 FP in the last year, and both were from mortgage companies when I was going through a refi. Would you mind posting some of your higher-scoring ham, with headers? It's possible you have a misconfiguration in some of your settings. I was previously using a client-side Bayes filtering system and was getting 99.8+% spam identification rates. SA has been, so far, a bit of a disappointment and I'm sure it's my fault. :) My home account probably gets a 5 9's identification rate, with a near zero FP rate. SARE rulesets, network tests, and a well trained Bayes database make a huge difference in the performance of SA. Make sure your trusted_networks are set correct and enable network tests, URIBL tests, and Razor/Pyzor. Check out the CustomRuleset section of the wiki for info on SARE and other rulesets. - S
Re: Can't write into world-writable directories?
Peter Guhl wrote: Well, still... somehow I don't get why the software is running as spamd and tries to write into /root. I wouldn't say anything if the sofware inwvolved wasn't designed to cooperate (spamd, spamass-milter). But - well, it works now. Whatever is calling spamc (or interfacing with spamd) is setting the username to root. This is general a bad thing, IMHO. What MTA are you running? How are you calling spamassassin? - S
Re: DNS lookups
Ronan McGlue wrote: This is because SA doesn't use the system resolver, it uses Net::DNS's resolver. This gives SA a lot of control over queries, but doesn't take advantage of things like /etc/hosts, and only uses your primary DNS. ahhh ok anyway i can hack it?? *goes off to read CPAN*... We run bind with no zones on our SA gateway to serve as a DNS cache. Helps take a load off DNS lookups for common hosts. You can easily do this with any other DNS daemon as well. Google for caching nameserver. - S
Re: Outlook plugin
Vadym Chepkov wrote: I have read ResendingMailWithHeaders document and I couldn't find is there a plug-in available for Outlook so you can provide a feedback to Bayes just by pressing 'Spam' or 'Ham' buttons? Thank you. Nothing I've found yet. This page comes close: http://www.peculiarities.com/code/outlook.html It has code to report spam or ham or an Outlook public folder. When used in conjunction with Exchange, you can run sa-learn on the public folder through IMAP. Problem is the code is basically a VBA macro. To make it really useful, someone would need to turn it into an Outlook add-in that creates commandbar icons and probably right-click menu options. Anyway care to take this task on? - S
Re: Whitelisting a host?
[EMAIL PROTECTED] wrote: can i whitelisting a host? If yes, how can i do this ? This is probably better done in your MTA or Procmail file, but something like this should suffice. whitelist_from_rcvd [EMAIL PROTECTED] host.tld Replace host.tld with the actual hostname of the server you wish to whitelist. You might also want to replace the last * with the actual email domain you expect this host to be sending. - S
Re: spamd and bayes question
Jeffrey N. Miller wrote: I want to use Spamassassin with MIMEDefang and Sendmail as a SMTP Gateway. Can you use spamd/spamc with this method or does it just invoke the script method? Also, what is the best way to train spamassassin if I have a SPAM dump in MSExchange public folders? Or is there a better way of training bayes? 1) Can't really help you there, as I don't use MIMEDefang. Try http://www.mimedefang.org/. 2) Access the messages via IMAP using this script: http://www.dmzs.com/tools/files/spam.phtml The downside to this approach is that Exchange will strip off many useful headers when accessing messages via IMAP, but it's still a good start for Bayes training. Your only other option is to resend the mail from within Outlook. For that, see here: http://wiki.apache.org/spamassassin/ResendingMailWithHeaders - S
Re: Comparison of SA and commercial solutions
Eric A. Hall wrote: Every filtering system requires admin time, and if the reviews don't say as much then they're junk. There is a critical difference with SA, however, which is that the admins need to be proficient at stuff like CPAN, Perl, etc., while some of the packaged offerings provide simple click-the-button GUI, and those can have significantly lower salary associations. I know next to nothing about Perl, and trying to grok someone elses Perl makes my eyes bleed, and I have a rather bad-ass little SA box filtering mail like a banshee. It was easy to install... apt-get install exim4-daemon-heavy spamassassin clamav-daemon razor Debian is your friend. :) However, you make a good point. Setting up a box takes at least a little *nix knowledge, or at least the ability to look for good documentation and learn quickly. There are many howtos out there that can pretty much bring a newbie up to speed in a matter of hours. One thing that is definitely missing is a Linux-based CD-bootable distro that creates a mail filtering gateway, similar to some of the firewall distros (IP-Cop, for example). I won't even get into the whole salary association thing, I work at a private school, so I'm already on the low-end of the pay scale. Can't beat the hours, though. - S
Re: Comparison of SA and commercial solutions
Martyn Drake wrote: Ironically, after many years of faithful Linux use we're going down the Exchange route and mail handling to be given over to another department. I doubt we'll see a SA Linux box there. Oh well. I'm used to disapointments over the years, so it wasn't too much of a surprise to me. You might be able to get your security group to take responsibility for it. Many enterprises now consider first-line email servers something of an application-level proxy, particularly first-line servers that handle spam and malware filtering. In these cases, they're usually handled by the security department. I would imagine given the choice of an Exchange front-end server vs. a Linux-based SMTP gateway, they'd jump for the later. - S
Re: Turn off AWL
Craig Jackson wrote: I'd like to turn off AWL. I remember there used to be a switch in SA to do this but it's not there any more. I start spamd with -x -L It was moved to the configuration files in v3. Put use_auto_whitelist 0 in your local.cf. - S
Re: whitelist
Ronan McGlue wrote: I like a lot of you regularly get SA list traffic being diverted to the junk folder.. mydomain.com as a main focus in our examples... but in the local.cf file i have the following whitelist_from [EMAIL PROTECTED] [EMAIL PROTECTED] *.apache.org *.exim.org Use whitelist_to. Or, my preference, all_spam_to in the event of a GTUBE post. - S
Re: SA Gateway - MS Exchange -- what if MSE down?
[EMAIL PROTECTED] wrote: Bingo. I have a similar setup in place (s/postfix/sendmail/) and I don't have my Exchange box listed as an MX at all. I also have port 25 to the Exchange box firewalled off at the router to avoid portscanning. Not a good idea, IMHO. What happens if your SA gateway goes down for the count, and you're not around to fix it? In our case, I've documented how to change the firewall rules to allow direct connections to our internal Exchange server should the SA box go down. That way if I'm out of town for a week, my desktop tech makes the change and email continues to flow. Listing your Exchange box as a higher-cost MX doesn't really hurt anything, especially since you've firewalled your Exchange server (as any good admin should do). Additionally, if you ever need to send directly from your Exchange server, not having an MX associated with that machine *can* cause your mail to look spammy to certain hard-line sites. - S
Re: Do we need a Joe job bounce message blacklist?
Matthew S. Cramer wrote: If an email is from or MAILER-DAEMON then I check the mail for a line that looks like /^Received.*one.of.our.ip.addresses/. If it doesn't have the line, then I reject the mail with a 554 and Bounced message did not originate here. This has eliminated all the bogus bounces of spam and bogus virus alerts. I think virtually all MTAs include original message headers when bouncing (even the ones that are sending the bogus spam and virus bounces) so we haven't had any issues with this for the 6 months we've been doing it. Theoretically a legitimate bounce that didn't include the original message headers would be rejected, but then it should end up with the postmaster of the original bouncer and they will see the cause of the error and fix their MTA. But if that has happened to us, no one has complained. This sounds too good to be true. Anyone care to collect some DSN's and NDR's from various MTA's and test this out? Matt, I assume you're rejected after DATA, so this in theory shouldn't throw off sender verification callouts? - S
Re: a question for exiscan and exim users
Justin Mason wrote:
It appears that Exiscan has now become part of Exim by default,
and it also appears that (at least in the default exiscan patch)
it doesn't modify the config files directly to add itself to
the MTA's flow.
This is correct. The shipped configuration file doesn't include any
exiscan features. In fact, as shipped Exim won't build with the content
scanning features unless you add a statement to the local Makefile.
Is there a possibility that in default Exim setups, or default
OS-specific Exim packages, the exiscan config lines are being
inserted *without* the required message size limits, thereby
allowing massive emails to be scanned by SpamAssassin? that
would inflate scanner sizes nonlinearly (and is always a no-no
with SpamAssassin).
As mentioned above, the shipped config files don't include any content
scanning features. The 4.5 Debian packages include commented out
options for specifying spamd's IP/socket, but don't include any ACL
statements.
Here's what I mean. here's a good configuration stanza:
deny message = Classified as spam (score $spam_score)
condition = ${if {$message_size}{300k}{1}{0}}
spam = nobody
and here's a bad one:
deny message = Classified as spam (score $spam_score)
spam = nobody
It's entirelly possible someone configured their system this way. In
fact, the examples shown in the 4.5 spec (documentation) don't include
any size checks. However, the examples from the exiscan website do.
I'll make mention of this to Phillip on the Exim list and see if he'll
update the spec examples.
- S
Re: my girlfriend is getting ticked :)
Matthew Lenz wrote: X-Spam-Status: No, score=4.1 required=5.0 tests=BAYES_99,HTML_80_90, HTML_FONT_BIG,HTML_MESSAGE,HTML_TITLE_EMPTY,MIME_HTML_ONLY, MSGID_FROM_MTA_ID autolearn=no version=3.0.2 I see your false negative scored 99% on bayes. The BAYES_99 rule has a much lower score in v3 than it did in v2. My users started bitching after the upgrade the 3 because all the sudden spam was starting to get through. Tweaking up the bayes scores a bit helped significantly. Steven
Re: SPAM/HAM folder
Norman Zhang wrote: On my SA Gateway, I have no local box except root. Should I forward HAM/SPAM to local box? Mail are not meant for local delivery here. I assume you mean for Bayesian training. In that case, you can't use forwarded mail for that, as Bayesian training depends on having the original message intact. If you try and train on forwarded messages, your Bayes database will get real ugly real quick. We use an Exchange public folder that get's messages dragged to it, and a Perl script on the Exim gateway box that grabs messages from the public folder via IMAP and trains them. It's not a perfect system, as users have to figure out how to drag and drop the messages into the public folder, plus Exchange will strip some headers out and add some of its own when you access a message through IMAP, but its better than nothing. Steven -- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: Problem with a Rule
Jon McGreevy wrote: Tried both of those and not successful, anymore ideas Why are you processing outgoing mail? How are you calling SpamAssassin? I would look at bypassing SA for outgoing mail. Steven
Re: I can't autolearn bayes databases with spam
mw wrote: As you can see above, the spam should gain min. 3 points from the header and min. 3 points from the body ( these are spamassassin needs to classify mail as spam ). Apart from this, in local.cf I've bayes_auto_learn_threshold_spam 7.0, however autolearning doesn't work properly. SpamAssassin will calculate two scores when examining a message. The first score is used to classify the mail as spam and mark it, the second score is used to determine whether to auto-learn the message. Many rules and options are excluded from the second score. Additionally, auto-learning will only take place when using scoresets 0 and 1. I suggest you run a full spamassassin -D on the message in question to see what tests are firing for the auto-learn portion of the score, as well as to determine what ruleset you're using on these messages. For more info: http://wiki.apache.org/spamassassin/AutolearningNotWorking Steven -- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Re: spamassasin global bayes database
Matt wrote: What do I have to do to get spamassassin to use a global bayes database for all users on the system, rather then per user? http://wiki.apache.org/spamassassin/SiteWideBayesSetup Steven -- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
