Re: Help with bayes

2008-11-18 Thread Troy Settle 

Kai Schaetzl wrote:

Troy Settle wrote on Mon, 17 Nov 2008 13:33:10 -0500:

I'm having a major problem with the bayes system.  I cleared the bayes 
database and let it start re-learning.  Once it kicked in, I again 
started getting false hits with BAYES_00=-2.599 on a great many spam/uce 
messages.


How did you "let it start re-learning"? What's the output of sa-learn dump 
magic?
From incoming mail.  I'm still working on building a corpus suitable 
for sa-learn.


$ sa-learn --dump magic
0.000  0  3  0  non-token data: bayes db version
0.000  0  44946  0  non-token data: nspam
0.000  0  36757  0  non-token data: nham
0.000  0 545675  0  non-token data: ntokens
0.000  0 1226964376  0  non-token data: oldest atime
0.000  0 1227033356  0  non-token data: newest atime
0.000  0 1227033315  0  non-token data: last journal 
sync atime

0.000  0 1227007705  0  non-token data: last expiry atime
0.000  0  43200  0  non-token data: last expire 
atime delta
0.000  0 393274  0  non-token data: last expire 
reduction count



FWIW, how bad would I screw things up if I were to override the BAYES_00 
score to 0?



--
 Troy Settle
 Pulaski Networks ~ http://www.psknet.com
 866.477.5638 ~ 540.994.4254

Help with bayes

2008-11-17 Thread Troy Settle 
I'm having a major problem with the bayes system.  I cleared the bayes 
database and let it start re-learning.  Once it kicked in, I again 
started getting false hits with BAYES_00=-2.599 on a great many spam/uce 
messages.


Can someone point me to some good reading material to better understand 
why this is happening, and how to prevent it?


SA is running under a single user site-wide (about 2500 mailboxes 
total).  Is this screwing things up for me?  Would I have better results 
if I were to run SA for each user separately?


Thanks,

--
 Troy Settle
 Pulaski Networks
 866.477.5638

Re: SpamAssassin config

2008-11-15 Thread Troy Settle 


Sujit Acharyya-Choudhury wrote:
I have been modifying local.cf so that report_safe is 0 or 1.  Can not 
see any change.  For my sin, my exim config has the following entry:

warncondition = ${if or{\
{eq 
{${substr_0_6:$sender_host_address}}{161.74}}\

{>{$message_size}{60K}}\
}\
{0}{1}}
spam = exim
message = X-New-Subject: **SPAM** $h_Subject:
log_message = found spam score over treshold ($spam_score 
($spam_bar

)) Sender=\'$sender_address\' Subject=$h_Subject


In lcoal.cf in /etc/mail/spamassassin, I have
rewrite_header subject **SPAM**
# report_safe 1
I was wondering whether that modifies the header and can not see 
anything else. 


This isn't a SpamAssassin question, but an exim question that should go 
to the Exim-Users list, though this is easily found on the Exim Wiki:  
http://wiki.exim.org/ExiscanExamples


The problem you're running into, is that with the exiscan-acl extensions 
on Exim, SpamAssassin isn't working with the original message, it's 
working with a copy of the message.  The headers are probably getting 
re-written as you told SA to do, but since it's only a copy of the 
original message, exim will never see the changes made by SA.


You need to create a system filter:

   if first_delivery then
 if $h_X-New-Subject: is not ""
 then
headers remove Subject
headers add "Subject: $rh_X-New-Subject:"
headers remove X-New-Subject
 endif
   endif

Also, you might want to use $rh_Subject: rather than $h_Subject:

HTH,

--
 Troy Settle
 Pulaski Networks
 866.477.5638

Re: exim spamassassin AFTER SMTP

2008-11-10 Thread Troy Settle 

TN wrote:

Hi all,

It seems that almost everyone wants spamassasin before SMTP, but I need help in 
setting it up after delivery.

At the moment, I am using Exim4.6x, with SA 3.1.7, and it's default setup is to 
do the filtering at the ACL stage in Exim. We find this a bit tedious since 
users sending email have to endure quite a delay when sending, while SA does 
its work.we would much prefer it to accept the delivery, so that the user 
isn't waiting for their email client to finish up. We don't reject spam anyway, 
we're just happy to rewrite the subject, mark the email as spam and then let 
the email client rules sort the ham from spam based on those 2 marks - 
obviously we don't have a heavily laden email link so we can afford to accept 
spam and filter it after SMTP.

Alternatively, can it be configured to not do ANY filtering on authenticated 
senders, but process every other incoming email at ACL stage ? This would 
probably be best.

How can I do either of these with Exim & SA ?


thanks
T

TN,

This probably belongs on the Exim-users list, rather than the 
spamassassin list, but here goes...


It's pretty easy...  In your rcpt acl, set a variable for your 
relay_from_hosts and authenticated users.  Then, in the data acl, accept 
the message if the variable is set before you send the message to 
spamd.  I also bypass spamd for messages from user-approved senders.


check_rcpt:

 accept
   hosts   = +relay_from_hosts
   add_header  = X-ANTISPAM: Message sent from an accepted 
end-user host or network

   set acl_m_allow = 1
   control = submission

 accept
   authenticated   = *
   add_header  = X-ANTISPAM: Message sent from an authenticated 
user

   set acl_m_allow = 1
   control = submission

 accept
   condition   = ${if eq{${lookup mysql{USER_ACL}}}{allow}{1}{0}}
   set acl_m_allow = 1
   add_header  = X-ANTISPAM-SKIPPED: Sender in user's allowed 
senders list


check_data:

 warn  condition   = ${if !={$acl_m_allow}{1}}
   spam= global:true
   add_header  = X-SPAM-SCORE: $spam_score\nX-SPAM-REPORT: 
$spam_report



--
 Troy Settle
 Pulaski Networks
 866.477.5638

Re: Am I an idiot, or is bayes broken on my system?

2008-11-10 Thread Troy Settle 



Matus UHLAR - fantomas wrote:

are you sure spamc and spamassassin use the same BAYES dsatabase?
Did you try giving your uername to spamd via '-u' ?
  


Yes, I provided the -u flag to every command (spamassassin, sa-learn, 
and spamc).


Right now, everything is run under the user 'global' until I can figure 
out how to use SA/Bayes for individual virtual users...


--
 Troy Settle
 Pulaski Networks
 866.477.5638

Am I an idiot, or is bayes broken on my system?

2008-11-10 Thread Troy Settle 
I received a piece of junkmail this morning:  
http://home.psknet.com/troy/1.txt


In the spam report, I see this:  BAYES_00=-2.599

So, I run it through sa-learn with --spam:

Learned tokens from 1 message(s) (1 message(s) examined)

Then, I re-scan it using spamc, and still I get:

BAYES_00=-2.599

What gives?  I don't expect the total score to come up much, but the 
bayes should at least go from a negative number to a positive number... 
shouldn't it?


BTW, this is the 3rd or 4th annuity/insurance spam I've received and 
piped through sa-learn in the last few days (I don't have samples of the 
others, but I'll definitely keep samples of future such messages).


--
 Troy Settle
 Pulaski Networks
 866.477.5638