Re: Spam not stopped???
Also this is my /etc/default/spamass-milter OPTIONS=-u nobody -i 127.0.0.1,209.102.124.20 -r 9 -M What strikes me odd is that the message that was stopped the milter had its id set to spamass-milter Jun 15 06:27:31 mail spamd[981]: spamd: connection from localhost [127.0.0.1] at port 42127 Jun 15 06:27:31 mail spamd[981]: spamd: setuid to spamass-milter succeeded The message that did not get stopped the milter had its id set the target email id: Jun 15 08:08:10 mail spamd[20901]: spamd: connection from localhost [127.0.0.1] at port 55987 Jun 15 08:08:10 mail spamd[20901]: spamd: setuid to user succeeded Both of the actual targets were real users (not aliases). And I cannot see anywhere it should be set to spamass-milter when I have the -u nobody option set in the default/spamass-milter file. Ken On Thu, 16 Jun 2011, Mihamina Rakotomandimby wrote: On Wed, 15 Jun 2011 21:15:06 -0400 Ryan Pavely para...@nac.net wrote: but doesn't that log show it was identified as spam? it does... -- RMA.
Re: Spam not stopped???
I think I might have found the problem: The directory /var/run/spamass/ Had owner group set at spamass-milter:root. I changed that to spamass-milter:smmta. Also the permissions were set to drwxr-xr-x and I changed that to drwxr-sr-x. I will see if that will solve the problem. Ken On Wed, 15 Jun 2011, User for SpamAssassin Mail List wrote: Also this is my /etc/default/spamass-milter OPTIONS=-u nobody -i 127.0.0.1,209.102.124.20 -r 9 -M What strikes me odd is that the message that was stopped the milter had its id set to spamass-milter Jun 15 06:27:31 mail spamd[981]: spamd: connection from localhost [127.0.0.1] at port 42127 Jun 15 06:27:31 mail spamd[981]: spamd: setuid to spamass-milter succeeded The message that did not get stopped the milter had its id set the target email id: Jun 15 08:08:10 mail spamd[20901]: spamd: connection from localhost [127.0.0.1] at port 55987 Jun 15 08:08:10 mail spamd[20901]: spamd: setuid to user succeeded Both of the actual targets were real users (not aliases). And I cannot see anywhere it should be set to spamass-milter when I have the -u nobody option set in the default/spamass-milter file. Ken On Thu, 16 Jun 2011, Mihamina Rakotomandimby wrote: On Wed, 15 Jun 2011 21:15:06 -0400 Ryan Pavely para...@nac.net wrote: but doesn't that log show it was identified as spam? it does... -- RMA.
Spam not stopped???
Hello, I have something I cannot explain. We blacklisted an email address for a client but Spam assassin still let it through. Here are the logs: Jun 15 08:08:10 mail spamd[20901]: spamd: identified spam (104.0/6.0) for client:2130 in 0.2 seconds, 1729 bytes. Jun 15 08:08:10 mail spamd[20901]: spamd: result: Y 103 - BAYES_50,HTML_MESSAGE,MISSING_SUBJECT,SPF_PASS,TVD_SPAC E_RATIO,USER_IN_BLACKLIST scantime=0.2,size=1729,user=client,uid=2130,required_score=6.0,rhost=localhost,raddr=127. 0.0.1,rport=55987,mid=snt117-w309552c1e79d42eb67a294ad...@phx.gbl,bayes=0.479706,autolearn=no Jun 15 08:08:10 mail sm-mta[21077]: p5FF86ld021067: to=cli...@pcez.com, delay=00:00:03, xdelay=00:00:02, mailer=local, pri=31672, dsn=2.0.0, stat=Sent As you can see the use is in the black list but yet the mail was delivered. I checked other email that was over a score of 9 and the mail was rejected, but for some reason or another this was not. Anyone have an idea why this making it through? Thanks, Ken
Re: Spam not stopped???
Lawrence, Thanks for the responce. I know Spam Assassin doesn't stop it we use a spamassassin milter for sendmail to reject it. (We been doing this for years). Anyway here is a log on a email that was rejected: Jun 15 06:27:33 mail spamd[981]: spamd: identified spam (22.2/6.0) for spamass-milter:111 in 2.1 seconds, 5378 bytes. Jun 15 06:27:33 mail spamd[981]: spamd: result: Y 22 - AWL,BAYES_99,HTML_IMAGE_ONLY_12,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,SARE _SPEC_ROLEX,SARE_SPOOF_COM2COM,SARE_SPOOF_COM2OTH,SPOOF_COM2COM,SPOOF_COM2OTH,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_ RHS_DOB,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=2.1,size=5378,user=spamass-milter,uid=111,required_score=6.0,rhost= localhost,raddr=127.0.0.1,rport=42127,mid=20110615185711.2964.qmail@vsp-6214cbe9e6d,bayes=1.00,autolearn=spam Jun 15 06:27:33 mail sm-mta[1251]: p5FDRUgF001251: Milter: data, reject=550 5.7.1 Blocked by SpamAssassin Jun 15 06:27:33 mail sm-mta[1251]: p5FDRUgF001251: to=u...@pcez.com, delay=00:00:02, pri=35237, stat=Blocked by SpamAssassin The reason we did not block this at the MTA level is we do not know if OTHER users might want email from this email address. Anyway I'm still looking for a clue why one is blocked and the other is not. Thanks, Ken On Wed, 15 Jun 2011, Lawrence @ Rogers wrote: On 15/06/2011 10:00 PM, User for SpamAssassin Mail List wrote: Hello, I have something I cannot explain. We blacklisted an email address for a client but Spam assassin still let it through. Here are the logs: Jun 15 08:08:10 mail spamd[20901]: spamd: identified spam (104.0/6.0) for client:2130 in 0.2 seconds, 1729 bytes. Jun 15 08:08:10 mail spamd[20901]: spamd: result: Y 103 - BAYES_50,HTML_MESSAGE,MISSING_SUBJECT,SPF_PASS,TVD_SPAC E_RATIO,USER_IN_BLACKLIST scantime=0.2,size=1729,user=client,uid=2130,required_score=6.0,rhost=localhost,raddr=127. 0.0.1,rport=55987,mid=snt117-w309552c1e79d42eb67a294ad...@phx.gbl,bayes=0.479706,autolearn=no Jun 15 08:08:10 mail sm-mta[21077]: p5FF86ld021067: to=cli...@pcez.com, delay=00:00:03, xdelay=00:00:02, mailer=local, pri=31672, dsn=2.0.0, stat=Sent As you can see the use is in the black list but yet the mail was delivered. I checked other email that was over a score of 9 and the mail was rejected, but for some reason or another this was not. Anyone have an idea why this making it through? Thanks, Ken SpamAssassin merely assigns scores and doesn't do any rejections on it's own. That is handled by whatever is calling SpamAssassin and using the score that the e-mail is assigned. This could be something like MailScanner, Amavis, or some other third party software. Also, it would be better to blacklist an e-mail address at the MTA level (ex: Exim, Postfix) Regards, Lawrence
Re: Spam not stopped???
On Thu, 16 Jun 2011, Lawrence @ Rogers wrote: On 15/06/2011 11:13 PM, User for SpamAssassin Mail List wrote: Lawrence, Thanks for the responce. I know Spam Assassin doesn't stop it we use a spamassassin milter for sendmail to reject it. (We been doing this for years). Anyway here is a log on a email that was rejected: Jun 15 06:27:33 mail spamd[981]: spamd: identified spam (22.2/6.0) for spamass-milter:111 in 2.1 seconds, 5378 bytes. Jun 15 06:27:33 mail spamd[981]: spamd: result: Y 22 - AWL,BAYES_99,HTML_IMAGE_ONLY_12,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,SARE _SPEC_ROLEX,SARE_SPOOF_COM2COM,SARE_SPOOF_COM2OTH,SPOOF_COM2COM,SPOOF_COM2OTH,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_ RHS_DOB,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=2.1,size=5378,user=spamass-milter,uid=111,required_score=6.0,rhost= localhost,raddr=127.0.0.1,rport=42127,mid=20110615185711.2964.qmail@vsp-6214cbe9e6d,bayes=1.00,autolearn=spam Jun 15 06:27:33 mail sm-mta[1251]: p5FDRUgF001251: Milter: data, reject=550 5.7.1 Blocked by SpamAssassin Jun 15 06:27:33 mail sm-mta[1251]: p5FDRUgF001251: to=u...@pcez.com, delay=00:00:02, pri=35237, stat=Blocked by SpamAssassin The reason we did not block this at the MTA level is we do not know if OTHER users might want email from this email address. Anyway I'm still looking for a clue why one is blocked and the other is not. Thanks, Ken On Wed, 15 Jun 2011, Lawrence @ Rogers wrote: On 15/06/2011 10:00 PM, User for SpamAssassin Mail List wrote: Hello, I have something I cannot explain. We blacklisted an email address for a client but Spam assassin still let it through. Here are the logs: Jun 15 08:08:10 mail spamd[20901]: spamd: identified spam (104.0/6.0) for client:2130 in 0.2 seconds, 1729 bytes. Jun 15 08:08:10 mail spamd[20901]: spamd: result: Y 103 - BAYES_50,HTML_MESSAGE,MISSING_SUBJECT,SPF_PASS,TVD_SPAC E_RATIO,USER_IN_BLACKLIST scantime=0.2,size=1729,user=client,uid=2130,required_score=6.0,rhost=localhost,raddr=127. 0.0.1,rport=55987,mid=snt117-w309552c1e79d42eb67a294ad...@phx.gbl,bayes=0.479706,autolearn=no Jun 15 08:08:10 mail sm-mta[21077]: p5FF86ld021067: to=cli...@pcez.com, delay=00:00:03, xdelay=00:00:02, mailer=local, pri=31672, dsn=2.0.0, stat=Sent As you can see the use is in the black list but yet the mail was delivered. I checked other email that was over a score of 9 and the mail was rejected, but for some reason or another this was not. Anyone have an idea why this making it through? Thanks, Ken SpamAssassin merely assigns scores and doesn't do any rejections on it's own. That is handled by whatever is calling SpamAssassin and using the score that the e-mail is assigned. This could be something like MailScanner, Amavis, or some other third party software. Also, it would be better to blacklist an e-mail address at the MTA level (ex: Exim, Postfix) Regards, Lawrence Although you shouldn't be using SARE rules anymore (No longer developed and reportedly hit many FPs), this e-mail would be blocked by a 9.0 limit. That would indicate that your setup is working, at least sometimes. The first set of headers you posted were as follows Jun 15 08:08:10 mail spamd[20901]: spamd: result: Y 103 - BAYES_50,HTML_MESSAGE,MISSING_SUBJECT,SPF_PASS,TVD_SPAC E_RATIO,USER_IN_BLACKLIST scantime=0.2,size=1729,user=client,uid=2130,required_score=6.0,rhost=localhost,raddr=127. 0.0.1,rport=55987,mid=snt117-w309552c1e79d42eb67a294ad...@phx.gbl,bayes=0.479706,autolearn=no BAYES_50 is 0.8 HTML_MESSAGE is 0.001 MISSING_SUBJECT is 0.001 SPF_PASS is -0.001 TVD_SPACE_RATIO is 0.001 USER_IN_BLACKLIST is 100.00 I got this from http://spamassassin.apache.org/tests_3_3_x.html (except MISSING_SUBJECT and TVD_SPACE_RATIO, which are not listed but are present in the current 3.3 rules available via sa-update) So the overall score should have been 100.802 What was the score shown as being returned by SA? Regards, Lawrence As the log showed: Jun 15 08:08:10 mail spamd[20901]: spamd: identified spam (104.0/6.0) spamd is reporting it as spam. sendmail.mc is set up as: INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass/spamass.sock, F=, T=S:6m;R:9m;E:16m')dnl As you can see the one message is blocked by MTA: Jun 15 06:27:33 mail sm-mta[1251]: p5FDRUgF001251: Milter: data, reject=550 5.7.1 Blocked by SpamAssassin Jun 15 06:27:33 mail sm-mta[1251]: p5FDRUgF001251: to=u...@pcez.com, delay=00:00:02, pri=35237, stat=Blocked by SpamAssassin But the message in question got delivered even though the spamassassin said it was spam. So it looked like the milter is working for one email but not the other. What would cause this? Thanks, Ken
Pyzor Server
Hello, I don't keep constant eye on the mail server logs but did notice that pyzor was not working. I've ping the server that I've been using for years: # pyzor ping 82.94.255.100:24441 TimeoutError: And see it is not working. I did a pyzor discover and found a public server and did a ping on it: # pyzor ping public.pyzor.org:24441 (200, 'OK') My question: Did this old server go away? And it this new server the one to use now days? Thanks, Ken
spamd and sendmail mailertable
Hello, Were using sendmail and their feature mailertable for forwarding certain domains to other mail servers. (using somedomain.com esmtp:[mail.somedomain.com]) When an email comes in for one of these forwarded domains it will check our greylist, our clamav, but will not do a spamassassin check. Our sendmail.mc looks like: (skipped the first part) # dnl # greylist settings INPUT_MAIL_FILTER(`greylist', `S=local:/var/run/milter-greylist/greylist.sock')dnl define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl dnl # spamassassin settings INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/sendmail/spamass.sock, F=, T=S:6m;R:9m;E:16m')dnl dnl # clamav-milter plugin form ClamAV Virus Scanner include(`/etc/mail/m4/clamav-milter.m4')dnl MAILER(local)dnl MAILER(smtp)dnl It's been a long time since I've gotten into the bowels of the spamassassin, sendmail setup and at this point I cannot figure out why when these emails come in for these forwarded domains they checked for greylist, clamav but not spamassassin. Anyone have an Idea? Thanks, Ken
Re: spamd and sendmail mailertable
Checking into this more I notice this happens on any forwarded email to another system. Spamassassin refuses to check it. Any Ideas? Thanks, Ken On Fri, 14 Mar 2008, User for SpamAssassin Mail List wrote: Hello, Were using sendmail and their feature mailertable for forwarding certain domains to other mail servers. (using somedomain.com esmtp:[mail.somedomain.com]) When an email comes in for one of these forwarded domains it will check our greylist, our clamav, but will not do a spamassassin check. Our sendmail.mc looks like: (skipped the first part) # dnl # greylist settings INPUT_MAIL_FILTER(`greylist', `S=local:/var/run/milter-greylist/greylist.sock')dnl define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl dnl # spamassassin settings INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/sendmail/spamass.sock, F=, T=S:6m;R:9m;E:16m')dnl dnl # clamav-milter plugin form ClamAV Virus Scanner include(`/etc/mail/m4/clamav-milter.m4')dnl MAILER(local)dnl MAILER(smtp)dnl It's been a long time since I've gotten into the bowels of the spamassassin, sendmail setup and at this point I cannot figure out why when these emails come in for these forwarded domains they checked for greylist, clamav but not spamassassin. Anyone have an Idea? Thanks, Ken
Re: Is http://www.rulesemporium.com?
I have the same problem here: traceroute to www.rulesemporium.com (72.52.4.74), 30 hops max, 38 byte packets 1 roxanne.pcez.com (209.102.124.1) 0.179 ms 0.146 ms 0.143 ms 2 52.ATM5-0.GW9.POR3.ALTER.NET (157.130.180.65) 3.016 ms 3.190 ms 2.917 ms 3 0.so-4-3-0.XT2.POR3.ALTER.NET (152.63.104.254) 3.397 ms 3.131 ms 3.121 ms 4 0.so-3-0-0.XL2.SJC7.ALTER.NET (152.63.0.146) 17.919 ms 17.896 ms 17.895 ms 5 POS7-0-0.GW4.SJC7.ALTER.NET (152.63.48.245) 19.365 ms 19.351 ms 19.328 ms 6 teliasonera-test-gw.customer.alter.net (157.130.215.70) 21.223 ms 21.364 ms 21.248 ms 7 las-bb1-link.telia.net (213.248.80.17) 30.684 ms 30.711 ms 30.628 ms 8 dls-bb1-link.telia.net (213.248.80.14) 71.889 ms 71.869 ms 71.875 ms 9 mai-b1-link.telia.net (80.91.252.62) 98.787 ms 98.759 ms 98.765 ms 10 * * * Ken On Fri, 29 Feb 2008, David Filion wrote: Ed Kasky wrote: At 12:08 AM Friday, 2/29/2008, blaine wrote -= I was not able to access http://www.rulesemporium.com? is this working are moved some where? Works fine from here. Site is reachable and resolves to 72.52.4.74 which pings fine as well. Something's broken somewhere. From sunny Los Angeles where it was 80 degrees yesterday: traceroute to 72.52.4.74 (72.52.4.74), 30 hops max, 40 byte packets 1 ns5gt.wrenkasky.com (10.10.10.1) 0.620 ms 0.809 ms 1.058 ms 2 router.wrenkasky.com (216.102.129.41) 13.910 ms 19.470 ms 24.269 ms 3 dist4-vlan60.irvnca.sbcglobal.net (67.114.50.66) 29.160 ms 34.044 ms 38.922 ms 4 bb2-g10-0.irvnca.sbcglobal.net (151.164.92.198) 85.450 ms 86.375 ms 87.311 ms 5 151.164.93.167 (151.164.93.167) 70.757 ms 71.946 ms 72.868 ms 6 151.164.251.214 (151.164.251.214) 74.810 ms 76.133 ms 80.781 ms 7 dls-bb1-link.telia.net (213.248.80.14) 144.269 ms 72.000 ms 71.572 ms 8 mai-b1-link.telia.net (80.91.252.62) 100.388 ms 102.816 ms 107.478 ms 9 * * * 10 * * * 11 * * * 12 * * * --snip-- 30 * * * Half / half here. From one server it doesn't work: traceroute to 72.52.4.74 (72.52.4.74), 30 hops max, 40 byte packets 1 heroine.xprima.com (207.96.225.62) 0.621 ms 0.649 ms 0.695 ms 2 ia-piex-gw06-vl1219.vtl.net (207.253.197.1) 1.667 ms 1.366 ms 0.978 ms 3 216.113.123.9 (216.113.123.9) 1.721 ms 1.593 ms 1.248 ms 4 ia-piex-bb04-pos11-0-0-cpe082.vtl.net (216.113.122.82) 14.211 ms * * 5 sl-tisca1-60020-0.sprintlink.net (144.223.37.150) 11.102 ms 11.099 ms 23.997 ms 6 so-0-0-0.mia11.ip.tiscali.net (89.149.186.45) 46.055 ms 46.032 ms 46.057 ms 7 prolexic-gw.ip.tiscali.net (213.200.73.38) 46.046 ms 46.059 ms 45.550 ms 8 * * * 9 * * * --snip-- 30 * * * From a second server it does: traceroute to 72.52.4.74 (72.52.4.74), 30 hops max, 38 byte packets 1 erx02.tor.pppoe.ca (206.248.154.120) 52.137 ms 47.751 ms 49.089 ms 2 i2110.border1.pppoe.ca (206.248.155.249) 48.226 ms 47.784 ms 47.483 ms 3 65.39.198.249 (65.39.198.249) 46.819 ms 48.314 ms 47.175 ms 4 oc48-po4-0.nyc-telx-dis-2.peer1.net (216.187.115.126) 56.828 ms 57.145 ms 56.887 ms 5 oc48-po3-0.nyc-75bre-dis-1.peer1.net (216.187.115.134) 58.735 ms 57.571 ms 58.153 ms 6 oc48-po2-0.wdc-eqx-dis-1.peer1.net (216.187.115.54) 63.232 ms 64.553 ms 63.534 ms 7 * * * 8 unknown.hwng.net (69.16.190.161) 85.520 ms 86.509 ms 85.609 ms 9 1-1.r1.lo.hwng.net (69.16.191.50) 153.904 ms 154.564 ms 154.897 ms 10 unknown.hwng.net (69.16.189.66) 148.284 ms 148.410 ms 148.168 ms 11 unknown.prolexic.com (209.200.156.34) 147.512 ms 148.232 ms 148.250 ms 12 unknown.prolexic.com (72.52.4.74) 147.229 ms 148.328 ms 148.167 ms David
Re: A rule for empty body and pdf attachment??
Hello, We are running a Debian Sarge system here with spamassassin version Version: 3.0.3-2sarge1. I tried to put these plugins (ImageInfo and loadplugin) into my system and got the following errors when I restarted: Aug 2 12:08:56 mail spamd[8789]: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Logger.pm in @INC (@INC contains: lib ../lib /usr/share/perl5 /etc/perl /usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4 /usr/lib/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl) at /usr/share/perl5/Mail/SpamAssassin/Plugin/ImageInfo.pm line 100._BEGIN failed--compilation aborted at /usr/share/perl5/Mail/SpamAssassin/Plugin/ImageInfo.pm line 100._Compilation failed in require at (eval 26) line 1. Aug 2 12:08:56 mail spamd[8789]: failed to create instance of plugin Mail::SpamAssassin::Plugin::ImageInfo: Can't locate object method new via package Mail::SpamAssassin::Plugin::ImageInfo at (eval 27) line 1. Aug 2 12:08:56 mail spamd[8789]: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Logger.pm in @INC (@INC contains: lib ../lib /usr/share/perl5 /etc/perl /usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4 /usr/lib/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl) at /usr/share/perl5/Mail/SpamAssassin/Plugin/PDFInfo.pm line 131._BEGIN failed--compilation aborted at /usr/share/perl5/Mail/SpamAssassin/Plugin/PDFInfo.pm line 131._Compilation failed in require at (eval 28) line 1. Aug 2 12:08:56 mail spamd[8789]: failed to create instance of plugin Mail::SpamAssassin::Plugin::PDFInfo: Can't locate object method new via package Mail::SpamAssassin::Plugin::PDFInfo at (eval 29) line 1. --- What am I missing here to make this work? Thanks, Ken On Thu, 2 Aug 2007, Jeroen Tebbens wrote: Hi, Get the plugin PDFinfo http://www.rulesemporium.com/plugins/ And it will give you more control about PDF spam. It has a rule for empty body emails with PDF attachment (GMD_PDF_EMPTY_BODY) and give it a score to your liking. /Jeroen On Thu, 2 Aug 2007, Michael W Cocke wrote: These blasted PDF spams are driving me mad! Any ideas for a rule that would trip if there's no text in the body, just a PDF attachment ? (I'm using the PDFinfo plugin now, but I don't really understand it) Thanks! Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: A rule for empty body and pdf attachment??
As a follow up. I found a Logger.pm on the system but it was not in the /usr/share/perl5/Mail/SpamAssassin/ directory. I did find one in the /usr/share/perl5/Razor2 directory. I made copy of this Logger.pm file and placed it in the Mail/SpamAssassin/ directory like it was looking for in the error log below. When I restarted up the spamassassin program I got different errors this time: --- Aug 2 13:00:23 mail spamd[4820]: spamd starting Aug 2 13:00:23 mail spamd[4822]: Subroutine new redefined at /usr/share/perl5/Mail/SpamAssassin/Logger.pm line 17. Aug 2 13:00:23 mail spamd[4822]: Subroutine log redefined at /usr/share/perl5/Mail/SpamAssassin/Logger.pm line 73. Aug 2 13:00:23 mail spamd[4822]: Subroutine log2file redefined at /usr/share/perl5/Mail/SpamAssassin/Logger.pm line 114. Aug 2 13:00:24 mail spamd[4822]: Failed to run GMD_PDF_FUZZY2_T1 SpamAssassin test, skipping:__(Undefined subroutine Mail::SpamAssassin::Plugin::PDFInfo::dbg called at /usr/share/perl5/Mail/SpamAssassin/Plugin/PDFInfo.pm line 393._) My guess is that this is not the right Logger.pm file. Where do I find the correct file so I can make this work? And is that my only problem??? Thanks, Ken On Thu, 2 Aug 2007, User for SpamAssassin Mail List wrote: Hello, We are running a Debian Sarge system here with spamassassin version Version: 3.0.3-2sarge1. I tried to put these plugins (ImageInfo and loadplugin) into my system and got the following errors when I restarted: Aug 2 12:08:56 mail spamd[8789]: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Logger.pm in @INC (@INC contains: lib ../lib /usr/share/perl5 /etc/perl /usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4 /usr/lib/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl) at /usr/share/perl5/Mail/SpamAssassin/Plugin/ImageInfo.pm line 100._BEGIN failed--compilation aborted at /usr/share/perl5/Mail/SpamAssassin/Plugin/ImageInfo.pm line 100._Compilation failed in require at (eval 26) line 1. Aug 2 12:08:56 mail spamd[8789]: failed to create instance of plugin Mail::SpamAssassin::Plugin::ImageInfo: Can't locate object method new via package Mail::SpamAssassin::Plugin::ImageInfo at (eval 27) line 1. Aug 2 12:08:56 mail spamd[8789]: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Logger.pm in @INC (@INC contains: lib ../lib /usr/share/perl5 /etc/perl /usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4 /usr/lib/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl) at /usr/share/perl5/Mail/SpamAssassin/Plugin/PDFInfo.pm line 131._BEGIN failed--compilation aborted at /usr/share/perl5/Mail/SpamAssassin/Plugin/PDFInfo.pm line 131._Compilation failed in require at (eval 28) line 1. Aug 2 12:08:56 mail spamd[8789]: failed to create instance of plugin Mail::SpamAssassin::Plugin::PDFInfo: Can't locate object method new via package Mail::SpamAssassin::Plugin::PDFInfo at (eval 29) line 1. --- What am I missing here to make this work? Thanks, Ken On Thu, 2 Aug 2007, Jeroen Tebbens wrote: Hi, Get the plugin PDFinfo http://www.rulesemporium.com/plugins/ And it will give you more control about PDF spam. It has a rule for empty body emails with PDF attachment (GMD_PDF_EMPTY_BODY) and give it a score to your liking. /Jeroen On Thu, 2 Aug 2007, Michael W Cocke wrote: These blasted PDF spams are driving me mad! Any ideas for a rule that would trip if there's no text in the body, just a PDF attachment ? (I'm using the PDFinfo plugin now, but I don't really understand it) Thanks! Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
pyzor problem.
Hello, I've noticed a big jump in spam here and looking through logs it looks like my system is not getting pyzor to respond. When I do a spamassassin --lint -D I show: debug: Pyzor is available: /usr/bin/pyzor debug: Pyzor: got response: 66.250.40.33:24441 TimeoutError: debug: Pyzor: couldn't grok response 66.250.40.33:24441TimeoutError: Has something changed with pyzor as of late ? Anyone have any clues? Thanks, Ken
Re: pyzor problem.
On Mon, 30 Jul 2007, Gary V wrote: We noticed pyzor latency/timeouts last week and had to disable it. User for SpamAssassin Mail List wrote: Hello, I've noticed a big jump in spam here and looking through logs it looks like my system is not getting pyzor to respond. When I do a spamassassin --lint -D I show: debug: Pyzor is available: /usr/bin/pyzor debug: Pyzor: got response: 66.250.40.33:24441 TimeoutError: debug: Pyzor: couldn't grok response 66.250.40.33:24441 TimeoutError: Has something changed with pyzor as of late ? Anyone have any clues? Thanks, Ken -- Joel Nimety I think the main server has been overloaded for a couple years now. Find .../.pyzor/servers file and replace 66.250.40.33:24441 with 82.94.255.100:24441 It should help. Gary V Gary, That server 82.94.255.100:24441 solved the problem. The next problem was how to change that IP address in the ~/.pyzor/servers files for all the customers. So I put together a script to do just that. Here is that script in case others want to do the same thing. Thanks, Ken You must put in a servers file in the /etc/skel/.pyzor directory with 82.94.255.100:24441 in the servers file. Script follows: #! /bin/sh # #This script changes the pyzor server in each users home directory to #the server that is listed in /etc/skel/.pyzor/servers . #This became a problem when the primary server stopped #responding. - knr - 7-07 # # # USERNAME= cd /home for USERNAME in `ls -d *`; do if [ -d /home/${USERNAME}/.pyzor ]; then if [ -f /home/${USERNAME}/.pyzor/servers ]; then cp /etc/skel/.pyzor/servers /home/${USERNAME}/.pyzor/servers; chown ${USERNAME}:users /home/${USERNAME}/.pyzor/servers; fi fi done
rules_du_jour
Has anyone come up with a rule that will combat the spam that I have been seeing lately? That is a spam that rambles about much of nothing then has an image or a link at the bottom. I see more and more of these and it seems like the spammers have figured out a way to get this past SA. I include one such message at the end of this post. Thanks, Ken Example of this spam: [IMAGE] Jeg er udvalgt som blogger, dvs. There is little doubt that asynchronous solutions require us to think in new ways as we have to deal with concurrency, out-of-sequence issues, correlation and other. Ingen interesse mere. But it makes me feel better that Ted Neward seems to beat me in that category, though. In my eyes this is really the best indicator of success for a pattern language. We don't have to go further than the local coffee shop. But it makes me feel better that Ted Neward seems to beat me in that category, though. While the conference logistics can be quirky at times the content is top notch. Even if you choose the right specification, it still is likely to evolve over time. Jeg er udvalgt som blogger, dvs. However, when building distributed applications, that asymmetry really has no place. After loosely coupled, stateless must be a close runner-up as the ultimate nirvana in buzzword-compliant architectures. While Java is not necessarily the greatest language to host a DSL we can go a lot further than developers generally believe or care for. Ideally, the debate would involve alcoholic beverages and the other person would pick up the check. This time, though, Ken Arnold stole a little bit of my show by publishing an excellent article in ACM Queue magazine called Programmers are People, too. During the proverbial hallway discussions we started talking about boxes and lines, but in a profound way. Read on to learn more about the implementation and our experiences with intra-JVM EDA. Hearing this tag line for the third or fourth time got me wondering, what really is the difference between coding and configuring? For one thing, a fair number of my intellectual drinking buddies tend to congregate around the large software company in the Pacific Northwest. First, because I was going to meet the exalted one in person.
Error Message
We are getting a error message on our log files and the spamd process is swelling to over twice it size in memory. The log files show this message: Mar 9 09:53:00 mail spamd[20283]: Deep recursion on subroutine Mail::SpamAssassin::Message::Node::_find_parts at /usr/share/perl5/Mail/SpamAssassin/Message/Node.pm line 122, GEN226 line 6796. Mar 9 09:53:00 mail last message repeated 2 times Also have seen this message today on the same server: Mar 9 06:53:58 mail spamd[21734]: Deep recursion on subroutine Mail::SpamAssassin::Message::parse_body at /usr/share/perl5/Mail/SpamAssassin/Message.pm line 511, GEN796 line 6290. We are running a Debian spamassassin ver 3.0.3-2. Any ideas? Thanks, Ken
DCC stops working.
Hello, I've noticed when my mail server starts taking a big load hit that the DCC stop working. I get lines like this in the syslog: Jan 4 10:59:21 mail dccproc[1051]: continue not asking DCC 227 seconds after failure Jan 4 10:59:21 mail dccproc[1052]: continue not asking DCC 227 seconds after failure Jan 4 10:59:27 mail dccproc[1113]: continue not asking DCC 221 seconds after failure Most of the time it works fine. Any ideas why it stops working? Thanks, Ken Rea
Question about --max-children
Hello, When starting the program, I'm wondering about how many children I can start and what the problems might be with too many. My start up file states: # NOTE: version 3.0.x has switched to a preforking model, so you # need to make sure --max-children is not set to anything higher than # 5, unless you know what you're doing. At this time my Options are: OPTIONS=--create-prefs --max-children 9 --helper-home-dir --max-conn-per-child 100 Our server is busy enough where even 9 --max-children may not be enough. Any suggestions? We are running a Server with a AMD Athlon(tm) XP 2100+ processor and a SCSI Raid array and 3 gigs of memory. Thanks, Ken Rea
RE: Question about --max-children
How much memory are you running? Thanks, Ken On Thu, 8 Dec 2005 [EMAIL PROTECTED] wrote: User for SpamAssassin Mail List wrote: # NOTE: version 3.0.x has switched to a preforking model, so you # need to make sure --max-children is not set to anything higher than # 5, unless you know what you're doing. ... Our server is busy enough where even 9 --max-children may not be enough. Hopefully, then, you know what you're doing. :) FWIW, My --max-children is 20. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re[3]: What Optional Rules do I really need?
Yes, clamd does a good job on phishing emails. Thanks, Ken Rea On Thu, 1 Dec 2005, Robert Menschel wrote: Hello User, Thursday, December 1, 2005, 4:26:43 PM, you wrote: UfSML SARE_FRAUD was suggested but would this be a duplication when UfSML we are running clamd virus scanner on all the mail? I don't think so. The fraud rules file is aimed at phishing emails. If clamd catches your phishing emails, then yes, it'd be a duplication. If clamd doesn't do too good a job on phish, then the fraud rules would be worth having. Bob Menschel
spamd: fatal: setuid
Hello, I'm getting these errors on some user when the spamd program tries to setuid to the users ID. Here is some of the log file showing the error: Dec 1 09:24:38 mail spamd[1897]: connection from localhost [127.0.0.1] at port 57112 Dec 1 09:24:38 mail spamd[1897]: fatal: setuid to chuck failed Dec 1 09:24:38 mail spamd[1897]: error: Died at /usr/sbin/spamd line 1399, GEN505 line 2._ , continuing Dec 1 09:24:39 mail spamd[2696]: connection from localhost [127.0.0.1] at port 57115 Dec 1 09:24:39 mail spamd[2696]: fatal: setuid to stingrea failed Dec 1 09:24:39 mail spamd[2696]: error: Died at /usr/sbin/spamd line 1399, GEN513 line 2._ , continuing We are running spamassassin ver - Debian 3.0.3-2 on this system. Any idea on what to look for to solve this problem? Thanks, Ken Rea
Re: spamd: fatal: setuid
Yes the users do exist and usually it works fine. Ken On Thu, 1 Dec 2005, Theo Van Dinter wrote: On Thu, Dec 01, 2005 at 12:54:17PM -0800, User for SpamAssassin Mail List wrote: I'm getting these errors on some user when the spamd program tries to setuid to the users ID. Here is some of the log file showing the error: Do those users actually exist? Does your perl support setuid? Dec 1 09:24:38 mail spamd[1897]: fatal: setuid to chuck failed Dec 1 09:24:39 mail spamd[2696]: fatal: setuid to stingrea failed -- Randomly Generated Tagline: Imagination is more important than knowledge. - Albert Einstein
Re: spamd: fatal: setuid
I think this is where the problems is coming in. Looking through the logs I found this: Dec 1 09:13:20 mail spamd[31417]: DCC - check failed: cannot fork: Too many open files in system at /usr/share/perl5/Mail/SpamAssassin/Util.pm line 1019, GEN2184 line 101. Dec 1 09:13:20 mail spamd[31417]: clean message (-2.2/6.0) for jbrugger:2917 in 0.8 seconds, 4001 bytes. So how does one fix the problem of to many open files on a system? Thanks, Ken Rea On Thu, 1 Dec 2005, User for SpamAssassin Mail List wrote: Yes the users do exist and usually it works fine. Ken On Thu, 1 Dec 2005, Theo Van Dinter wrote: On Thu, Dec 01, 2005 at 12:54:17PM -0800, User for SpamAssassin Mail List wrote: I'm getting these errors on some user when the spamd program tries to setuid to the users ID. Here is some of the log file showing the error: Do those users actually exist? Does your perl support setuid? Dec 1 09:24:38 mail spamd[1897]: fatal: setuid to chuck failed Dec 1 09:24:39 mail spamd[2696]: fatal: setuid to stingrea failed -- Randomly Generated Tagline: Imagination is more important than knowledge. - Albert Einstein
Re: spamd: fatal: setuid
Matt, It's a Debian Stable system, and I did bump up that file and also put in a script on boot up to raise that number. Some of the ideas I found (after doing a google search) suggested changing the inode-max as well but I could not find that in the proc file system. We will see if that solves the problem. Thanks, Ken Rea On Thu, 1 Dec 2005, Matt Kettler wrote: User for SpamAssassin Mail List wrote: I think this is where the problems is coming in. Looking through the logs I found this: Dec 1 09:13:20 mail spamd[31417]: DCC - check failed: cannot fork: Too many open files in system at /usr/share/perl5/Mail/SpamAssassin/Util.pm line 1019, GEN2184 line 101. Dec 1 09:13:20 mail spamd[31417]: clean message (-2.2/6.0) for jbrugger:2917 in 0.8 seconds, 4001 bytes. So how does one fix the problem of to many open files on a system? What kind of OS is it? On most linux kernels you can adjust the system-wide file handle limit using /proc/sys/fs/file-max. Stealing an example from http://www.linuxforum.com/linux-filesystem/proc.html # cat /proc/sys/fs/file-max 4096 # echo 8192 /proc/sys/fs/file-max # cat /proc/sys/fs/file-max 8192
Re: spamd: fatal: setuid
As a follow up I did find this on a Debian web site: echo 65536 /proc/sys/fs/file-max # for 2.2 and 2.4 kernel echo 131072 /proc/sys/fs/inode-max # for 2.2 kernel only So it looks like you don't have to worry about inodes on a 2.4 kernel. Ken Rea On Thu, 1 Dec 2005, User for SpamAssassin Mail List wrote: Matt, It's a Debian Stable system, and I did bump up that file and also put in a script on boot up to raise that number. Some of the ideas I found (after doing a google search) suggested changing the inode-max as well but I could not find that in the proc file system. We will see if that solves the problem. Thanks, Ken Rea On Thu, 1 Dec 2005, Matt Kettler wrote: User for SpamAssassin Mail List wrote: I think this is where the problems is coming in. Looking through the logs I found this: Dec 1 09:13:20 mail spamd[31417]: DCC - check failed: cannot fork: Too many open files in system at /usr/share/perl5/Mail/SpamAssassin/Util.pm line 1019, GEN2184 line 101. Dec 1 09:13:20 mail spamd[31417]: clean message (-2.2/6.0) for jbrugger:2917 in 0.8 seconds, 4001 bytes. So how does one fix the problem of to many open files on a system? What kind of OS is it? On most linux kernels you can adjust the system-wide file handle limit using /proc/sys/fs/file-max. Stealing an example from http://www.linuxforum.com/linux-filesystem/proc.html # cat /proc/sys/fs/file-max 4096 # echo 8192 /proc/sys/fs/file-max # cat /proc/sys/fs/file-max 8192
Re[2]: What Optional Rules do I really need?
Thanks Bob, SARE_FRAUD was suggested but would this be a duplication when we are running clamd virus scanner on all the mail? Thanks, Ken Rea On Wed, 30 Nov 2005, Robert Menschel wrote: Wednesday, November 30, 2005, 11:59:23 AM, Matt wrote: MK I'm not well versed in picking the minimalist set for a low-resource site, but MK I can at least tell you what I know you should avoid. MK In general, the bigger the .cf file, the more resource intensive it will likely MK be. Admittedly this is a wildly inaccurate measure because of non-rule content, MK but it's better than nothing. I tend to be wary of .cf files over 128k, and I'd MK keep the total under 256k. MK FWIW, I personally like these SARE rulesets: MK 70_sare_adult.cf(SARE_ADULT) MK 70_sare_evilnum0.cf (SARE_EVILNUMBERS0) MK 70_sare_evilnum1.cf (SARE_EVILNUMBERS1) MK 70_sare_genlsubj0.cf (SARE_GENLSUBJ0) MK 70_sare_obfu0.cf (SARE_OBFU0) MK 70_sare_random.cf (SARE_RANDOM) MK 70_sare_specific.cf (SARE_SPECIFIC) MK 70_sare_uri0.cf (SARE_URI0) MK 99_sare_fraud_post25x.cf (SARE_FRAUD) In addition, I suggest 70_sare_html0.cf -- all the 70_sare_*0.cf rules files that I maintain are the ones which during SARE mass-checks hit no ham, and hit significant (by our classification) spam. Read the documentation in those *0.cf files, and you'll be able to determine for yourself whether to also use the *1.cf files. If you're tight on resources, stay away from 70_sare_obfu1.cf, though it is a very powerful file and useful to many systems. Bob Menschel
What Optional Rules do I really need?
Hello, We have a mail system that looks at about 30k incoming emails a day. We have been running SA for about month (ver 3.03). We run this on a spamass-milter off of sendmail. With the standard rules it has been running OK but does not stop as much spam as we would like (we do sa learn as well). The system runs about 1 gig of memory and is pretty fast. Anyway I just put on rulesdujour and got it up and running but what a big jump in resources So what would the common consensus be on what rules to run to make the biggest dent on incoming spam with a smallest jump in resources? Thanks, Ken Rea
Re: What Optional Rules do I really need?
On Wed, 30 Nov 2005, Matt Kettler wrote: User for SpamAssassin Mail List wrote: Hello, We have a mail system that looks at about 30k incoming emails a day. We have been running SA for about month (ver 3.03). WARNING: 3.0.3 is subject to a remotely exploitable DoS attack. All an attacker needs to do is send you a bunch of malformed messages. Actually it is Debian 3.0.3-2 , so I am assuming that they have taken care of the DoS attack problem? Definitely do not use any large rule-sets if you don't want to waste at ton of resources. Most especially BLACKLIST in RDJ's trusted ruleset. Also, since you're using 3.0.x, don't use antidrug. These rules are built-in on 3.0.0 and higher. Well I was looking for the names of the rules from the people that know... in the RDJ's trusted ruleset. All I can do is an educated guess on what might be the best to run it would be far better to tap into the experience of the group. Thanks, Ken Rea
Change Temp Directory
Hello, I've looked around and could not find this answer. How does one change the temp directory that spamd uses? I see it using /tmp on our debian sarge server using a debian spamassassin 3.0.3-2 version. I would like to change it to /var/tmp which on our system is a much faster SCSI raid disk. Thanks for your help, Ken Rea
RE: Change Temp Directory
But spamd changes users id each time it's used this would not work to well would it? Ken On Fri, 11 Nov 2005 [EMAIL PROTECTED] wrote: User for SpamAssassin Mail List wrote: I've looked around and could not find this answer. How does one change the temp directory that spamd uses? I see it using /tmp on our debian sarge server using a debian spamassassin 3.0.3-2 version. I would like to change it to /var/tmp which on our system is a much faster SCSI raid disk. From USAGE: - SpamAssassin now uses a temporary file in /tmp (or $TMPDIR, if that's set in the environment) for Pyzor and DCC checks. Make sure that this directory is either (a) not writable by other users, or (b) not shared over NFS, for security. So, if you set $TMPDIR in the spamd user's environment to /var/tmp, that should do it. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer