RE: spam_scan: DSPAM not available, skipping it

[Steven Lamb]

I added all of my domains into the local domain map.

Hopefully seeing all of the tags and attempting to run them back through my
spamassassin will show the problem 

Thanks for the advice

Steven Lamb


-Original Message-
From: Mark Martinec [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 21, 2006 11:11 AM
To: users@spamassassin.apache.org
Subject: Re: spam_scan: DSPAM not available, skipping it


Steven,

> spam_scan: DSPAM not available, skipping it

That's fine, you have SA. Few people use DSPAM with amavisd-new.

> I have been having a problem with my amavis-new spamassassin install. I
> have had a user who complains of spam getting through despite the fact
that
> I am using dns black lists and rule modifications to try and keep up with
> things.

Use: 'amavisd debug-sa' to see how and which rules does SA evaluate.
Perhaps you have network tests disabled or paths to rules directory
may be wrong.

See also: http://www.ijs.si/software/amavisd/#faq-spam
-> SpamAssassin returns different score or null score or triggers
   different set of SA rules when called from amavisd-new, as compared
   to the command-line utility spamassassin on the same message.
   What is wrong?

> The most annoying part that I find is that the messages that get 
> through have no SA tags in them. I have set the tags trigger at -999 so I
> should see headers in all of my messages.

If recipient is not local, then X-Spam* headers are not inserted.
Fix your @local_domain_maps.

> Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) CALLING SA check
> Jun 20 15:17:33 ws3 amavis[8850]: (08850-03) RETURNED FROM SA check, time
> left: 25 s
> Jun 20 15:17:33 ws3 amavis[8850]: (08850-03) spam_scan: score=-2.599
> tests=[BAYES_00=-2.599]

SA was called and matched BAYES_00 rule.

> Jun 20 15:17:33 ws3 amavis[8850]: (08850-03) lookup (local_domains) =>
> undef, "[EMAIL PROTECTED]" does not match

satuci.com does not match @local_domains_maps, X-Spam headers
won't be inserted.

  Mark




-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.2/370 - Release Date: 6/20/2006

spam_scan: DSPAM not available, skipping it

[Steven Lamb]

I have been having a problem with my amavis-new spamassassin install. I have
had a user who complains of spam getting through despite the fact that I am
using dns black lists and rule modifications to try and keep up with things.
The most annoying part that I find is that the messages that get through
have no SA tags in them. I have set the tags trigger at -999 so I should see
headers in all of my messages. After turning up my verbosity on my log files
I find that SA's rules are not being called on these messages at all (except
of course for Bayse which seems to only remove points from these messages. 

Anyone who can help me figure this out would be much appreciated.

Here is my log output for this message exchange

Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) SMTP> 220 [127.0.0.1] ESMTP
amavisd-new service ready
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) idle_proc, 4: was busy, 2.4 ms,
total idle 24.570 s, busy 4.828 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) idle_proc, 5: was idle, 0.2 ms,
total idle 24.570 s, busy 4.828 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) prolong_timer after reading
SMTP command: remaining time = 480 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) SMTP< EHLO ws3.adiis.net\r\n
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP> 250-[127.0.0.1]
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP> 250-PIPELINING
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP> 250-SIZE
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP> 250-8BITMIME
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP> 250-ENHANCEDSTATUSCODES
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP> 250 XFORWARD NAME ADDR
PROTO HELO
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) idle_proc, 6: was busy, 1.1 ms,
total idle 24.570 s, busy 4.829 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) idle_proc, 5: was idle, 0.2 ms,
total idle 24.571 s, busy 4.829 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) prolong_timer after reading
SMTP command: remaining time = 480 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP< XFORWARD
NAME=ms1.adiis.net ADDR=207.177.36.3\r\n
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP> 250 2.5.0 Ok XFORWARD
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) idle_proc, 6: was busy, 0.6 ms,
total idle 24.571 s, busy 4.830 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) idle_proc, 5: was idle, 0.1 ms,
total idle 24.571 s, busy 4.830 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) prolong_timer after reading
SMTP command: remaining time = 480 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP< XFORWARD PROTO=ESMTP
HELO=ms1.adiis.net\r\n
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP> 250 2.5.0 Ok XFORWARD
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) idle_proc, 6: was busy, 0.6 ms,
total idle 24.571 s, busy 4.830 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) idle_proc, 5: was idle, 0.1 ms,
total idle 24.571 s, busy 4.830 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) prolong_timer after reading
SMTP command: remaining time = 480 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP< MAIL
FROM:<[EMAIL PROTECTED]> SIZE=1483\r\n
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) prolong_timer after MAIL FROM
received - timer reset: remaining time = 480 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) check_mail_begin_task:
task_count=3
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) lookup (debug_sender) => undef,
"[EMAIL PROTECTED]" does not match
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP> 250 2.1.0 Sender
[EMAIL PROTECTED] OK
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) idle_proc, 6: was busy, 1.3 ms,
total idle 24.571 s, busy 4.832 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) idle_proc, 5: was idle, 0.1 ms,
total idle 24.571 s, busy 4.832 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) prolong_timer after reading
SMTP command: remaining time = 480 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP< RCPT
TO:<[EMAIL PROTECTED]>\r\n
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP> 250 2.1.5 Recipient
[EMAIL PROTECTED] OK
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) idle_proc, 6: was busy, 0.6 ms,
total idle 24.571 s, busy 4.832 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) idle_proc, 5: was idle, 0.1 ms,
total idle 24.571 s, busy 4.832 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) prolong_timer after reading
SMTP command: remaining time = 480 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP< RCPT
TO:<[EMAIL PROTECTED]>\r\n
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP> 250 2.1.5 Recipient
[EMAIL PROTECTED] OK
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) idle_proc, 6: was busy, 0.6 ms,
total idle 24.571 s, busy 4.833 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) idle_proc, 5: was idle, 0.1 ms,
total idle 24.571 s, busy 4.833 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) prolong_timer after reading
SMTP command: remaining time = 480 s
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) ESMTP< DATA\r\n
Jun 20 15:17:28 ws3 amavis[8850]: (08850-03) prolong_timer after DATA
received - timer res

Re: RATWARE_ZERO_TZ=4.1

[Steven Lamb]

This is interesting. I would think that this rule could cause several false 
positives. For instance anyone that is a hotmail user and has a name that 
matches one of those patterns. I guess if this is the case I need to lower 
the score for that rule as my kill value is a 3.5, or even worse how about 
anyone that is from England that writes html / text email that has that kind 
of name.


Thanks for the info on this rule.

Steven Lamb
- Original Message - 
From: "Matt Kettler" <[EMAIL PROTECTED]>

To: "Steven Lamb" <[EMAIL PROTECTED]>
Cc: 
Sent: Wednesday, November 16, 2005 1:34 PM
Subject: Re: RATWARE_ZERO_TZ=4.1



Steven Lamb wrote:

I have a false positive that I had to release two of today with this
rule as what appears to be the offending rule. can someone explain to me
what this rule checks for. so that I can try to fix it or just get rid
of it



It's looking for a combination of 3 things:

1) Date: header in the + timezone.
2) Content-Type: text/html
3) matching one of several specific patterns for the From: address, all of 
which
appear to be based on putting together fragments of the real name part 
plus 2
extra letters at the end. for the real name part "matt kettler" the 
following

addresses would match:
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>


All three criteria need to match, and 3) has 7 different patters it could 
match on.

RATWARE_ZERO_TZ=4.1

[Steven Lamb]

I have a false positive that I had to release two of today with this rule as 
what appears to be the offending rule. can someone explain to me what this 
rule checks for. so that I can try to fix it or just get rid of it


thanks

Steven Lamb 

FP on domain ratio

[Steven Lamb]

I had a FP fro domain_ratio today I was wondering if someone could explain 
to me how this works so that I can avoid it in the future.


thanks

Steven Lamb 

amavisd-new

[Steven Lamb]

i am looking for a way to modify my subject line so that the spam assassin 
hits show in the subjectline but since i am useing amavisd-new i think it 
has to occure in the amavisd.conf file.


has any one got this working before

thanks in advance for any suggestions

config is
amavisd-new-2.3.3 (20050822)
SpamAssassin version 3.0.4
 running on Perl version 5.8.6
Fedora Core 4 

testing spamassassin

[Steven Lamb]

I have a corpus of email and have been trying to get good metrics on it. I
have run the messages through with spamassassin -t but this only adds stuff
onto the ends of all of my messages. is there any way to get a summary of
the test. i.e. how many are spam how many are ham average score so on so
forth. or ever have it separate my messages into different folders. I know
this is a newbie-ish question but I am indeed a newbie.

I am running spamassassin version 3.0.4-1.fc4, on redhat fedora core 4  with
amavisd-new and clam-av

thanks in advance for any help you can provide