spamd 'exceeded time limit' inquiry

2019-11-29 Thread Tom H 
Hey everyone,

I have a few questions about something I'm encountering with spamd.

I've noticed cases where a bounce message to the server results in spamd
'exceeded time limit'. It reaches the limit of 300+ seconds. In this
particular case, the message size is 564kB and contains an attachment.
Normally, such a message size would not cause spamd to 'hang' for 5 minutes.

I've pulled the bounce message in question to troubleshoot, and noticed that
with spamc it does not recognize the attachment (no attachment rules hit).
When scanning the original message (non bounce), spamc does recognize the
attachment. I also noticed a significantly longer wait time using spamc with
the bounce message compared to the original message.

I also used the 'HitFreqsRuleTiming' plugin to see the performance of rule
scan time between the bounce message and original message. I noticed that
the bounce message had rules taking 4+ seconds (upstream rules such as
__FILL_THIS_FORM_SHORT2 and __FILL_THIS_FORM_LONG2) , while this was not the
case in the original message


I have two questions:

1) By default, does SpamAssassin *not* decode/scan the base64 of the
attachment?

2) Is the longer scan time of the 'bounce' message due to SpamAssassin
scanning the attachment text lines in a way that it normally would not if it
had recognized that it is an attachment?


Thanks in advance.






--
Sent from: http://spamassassin.1065346.n5.nabble.com/SpamAssassin-Users-f3.html

Re: spam that only hits the BAYES_99 rule

2006-11-12 Thread Tom H 

Matt Kettler wrote:

Tom H wrote:
  

Hi,

I was getting hit by a great deal of spam that only hits the BAYES_99

I would be grateful for any ideas on this...


Sounds like the message contains a URI that is now listed in many of the
SURBL and URIBL lists.

 It may be that this got listed after you got the spam, but do you have
network tests enabled?


  
There is a url in the domain that definitely hits some of the URIBLs 
(results from the SURBL+ Checker on rulesemporium )


   * RBL: skipping uri lookups on ip-based RBLs
   * URIBL: multi.surbl.org: *listed* [Blocked,
 madesucxxxntiondetunhadesu.com on lists [ab][jp][ob][sc][ws],
 See: http://www.surbl.org/lists.html]
   * URIBL: multi.uribl.com: *listed* [Blacklisted, see
 http://lookup.uribl.com/?domain=madesuntioxxxndetunxxxhadesu.com
 http://lookup.uribl.com/?domain=madesuntiondetunhadesu.com]

However I don't seem to get any score for those, even though 
spamassassin is clearly running the network tests, as I can see from the 
debug output;


[EMAIL PROTECTED] ~]# spamassassin -t -D -p /etc/mail/sa-mimedefang.cf  
/usr/share/doc/spamassassin-3.1.4/sample-spam.txt


snip

[27826] dbg: uridnsbl: domains to query:
[27826] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl
[27826] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted
[27826] dbg: dns: checking RBL combined.njabl.org., set njabl-lastexternal
[27826] dbg: dns: checking RBL combined.njabl.org., set njabl
[27826] dbg: dns: checking RBL bl.spamcop.net., set spamcop
[27826] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal
[27826] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs
[27826] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set 
sblxbl-lastexternal
[27826] dbg: dns: checking RBL sa-accredit.habeas.com., set 
habeas-firsttrusted
[27826] dbg: dns: checking RBL 
combined-HIB.dnsiplists.completewhois.com., set whois

[27826] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal
[27826] dbg: dns: checking RBL sa-trusted.bondedsender.org., set 
bsp-firsttrusted
[27826] dbg: dns: checking RBL 
combined-HIB.dnsiplists.completewhois.com., set whois-lastexternal

[27826] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted

snip

Content analysis details:   (999.9 points, 4.5 required)

pts rule name  description
 -- 
--

-0.0 NO_RELAYS  Informational: message was not relayed via SMTP
1000 GTUBE  BODY: Generic Test for Unsolicited Bulk Email
-0.2 BAYES_40   BODY: Bayesian spam probability is 20 to 40%
   [score: 0.2288]
-0.0 NO_RECEIVEDInformational: message has no Received headers
0.1 AWLAWL: From: address is in the auto white-list



my sa-defang.cf is ;


required_hits4.5
ok_localesen
rewrite_subject 1
# report_header 1
# use_terse_report 0
# defang_mime 0
# skip_rbl_checks 0
#Enable bayes
auto_learn 1
use_bayes 1
bayes_path  /var/spool/MIMEDefang/.spamassassin/bayes
bayes_file_mode 0666

spam that only hits the BAYES_99 rule

2006-11-11 Thread Tom H 

Hi,

I was getting hit by a great deal of spam that only hits the BAYES_99
rule, and maybe gets less than a point or so from elsewhere.
But now I'm getting ones through that are basically only hitting the
BAYES_99 and nothing else;

X-Spam-Score: 3.5 (***) BAYES_99

I tried to send the mail to this list to demonstrate the content but got 
bounced with 12.9 spam score.


I'm running sa-update weekly, and rules_de_jour daily with a big set of 
rules, and I'm still not hitting loads of obvious spam. Particularly 
those with the title Re: + good and then a number appended to the end.


The only thing I can think of at the moment is to reduce my 
requried_hits to 3.5 or increase the score for BAYES_99 to 5, but I 
would prefer not to do the latter as I like a default and automatically 
updated installation.


I would be grateful for any ideas on this...

Thanks,

Tom H