Re: Bayes "corpus" - how old?
On 1/30/2024 10:58:52, Matus UHLAR - fantomas wrote: On 30.01.24 09:59, joe a wrote: Advisable to "prune" Bayes data based on age? While cleaning up recent Ham/Spam, found my "saved SPAM" goes back to 2013. Why that's over . . . wait, I need to take off my socks . . . So, how old is "too old". For saved SPAM? I did retrain on old spam a few times and it was working fine. Depends on how much mail you have: 0.000 0 7542 0 non-token data: nspam 0.000 0 80869 0 non-token data: nham 0.000 0 996032 0 non-token data: ntokens 0.000 0 1172945918 0 non-token data: oldest atime so, even old spam mey be fine. You however need much of ham to train otherwise everything starts looking like spam. Recently missed spam has increased a bit, so I was dropping it into "missed spam" and went poking through marked spam and found lots of "missed ham".Which triggered my pondering.
Bayes "corpus" - how old?
Advisable to "prune" Bayes data based on age? While cleaning up recent Ham/Spam, found my "saved SPAM" goes back to 2013. Why that's over . . . wait, I need to take off my socks . . . So, how old is "too old". For saved SPAM?
Re: when whitelisting, do what with marked SPAM?
On 11/14/2023 13:46:11, Matus UHLAR - fantomas wrote: On 14.11.23 13:05, joe a wrote: Low volume home office user and system. Occasionally when first dealing with a new entity, their correspondence gets flagged as SPAM. When I whitelist these, what should be done with those messages that might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines of keeping BAYES "clean and sharp". So to speak. Leave as is? Delete and re learn? Simply relearn FPs. Unless you have huge misclassification issue, learning as few mail as one should fix BAYES issues. Move previously tagged SPAM into HAM folder and "relearn"?
Re: when whitelisting, do what with marked SPAM?
On 11/14/2023 20:48:27, John Hardin wrote: On Tue, 14 Nov 2023, joe a wrote: Low volume home office user and system. Occasionally when first dealing with a new entity, their correspondence gets flagged as SPAM. When I whitelist these, what should be done with those messages that might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines of keeping BAYES "clean and sharp". So to speak. Leave as is? Delete and re learn? For a low volume home office user, I would simply NOT autolearn. Set up a hambox and a spambox and manually feed them and train from them. I have autolearn off and have a spam and ham folder set up and "relearn" twice daily.
when whitelisting, do what with marked SPAM?
Low volume home office user and system. Occasionally when first dealing with a new entity, their correspondence gets flagged as SPAM. When I whitelist these, what should be done with those messages that might remain in "flagged SPAM" or "Missed SPAM"?, thinking along lines of keeping BAYES "clean and sharp". So to speak. Leave as is? Delete and re learn?
Re: Stealth HREF= (missed by SA)
On Friday, September 15, 2023 15:34, Giovanni wrote: On 9/14/23 17:01, Pedro David Marco wrote: The same happens with other HTML tags... do you have a spample to share (public or privately) ? I am happy to confirm that revision 1912414 is working great and fixes the problem. Grazie mille! Joe SURBL Thanks Giovanni
Stealth HREF= (missed by SA)
I filed a bug for this issue on Bugzilla (#8186) but so far no response from developers. https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8186 We're seeing literally millions of phishing spams from Tencent VMs in Singapore targeting mostly Amazon Japan that are getting around SA checks because of this issue. I am wondering how many other users are seeing this problem which allows spammers to circumvent URI checks in links in spam (i.e. hide the payload sites). They do it by prefixing the href= attribute in an HTML tag with letters and a slash, for example: https://some.phishing.site:>https://amazon.co.jp Both Chrome and mail clients like Mozilla Thunderbird discard that "h/" prefix (perhaps treating it as a separate unrecognizable attribute, like "h href="...") and display a clickable link to the payload site while SpamAssassin will not see the URI and therefore not it through any of the rules for URIs. This means even if the bad site is listed on domain RBLs (SURBL, Spamhaus or URIBL), the mail is not tagged for that. Joe Wein SURBL
Re: BAYES scores
On 2/28/2023 12:05 PM, Jeff Mincy wrote: > From: joe a > Date: Tue, 28 Feb 2023 11:37:34 -0500 > > Curious as to why these scores, apparently "stock" are what they are. > I'd expect BAYES_999 BODY to count more than BAYES_99 BODY. > > Noted in a header this morning: > > * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% > * [score: 1.] > * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% > * [score: 1.] > > Was this discussed recently? I added a local score to mollify my sense > of propriety. Those two rules overlap. A message with bayes >= 99.9% hits both rules. BAYES_99 ends at 1.00 not .999. -jeff I get that they overlap. I guess my thinker gets in a knot wondering why there is so little weight given to the more certain determination. In my narrow view, anything that is 99.9% certain is probably worth a 5 on it's own. Or, at least should when, summed with BAYES_99, equal 5. As that is what the default "SPAM flag" is. Appears more experienced or thoughtful persons think otherwise. Yes, it did snow heavily overnight. Yes, I am looking for excuses not to visit that issue.
BAYES scores
Curious as to why these scores, apparently "stock" are what they are. I'd expect BAYES_999 BODY to count more than BAYES_99 BODY. Noted in a header this morning: * 3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100% * [score: 1.] * 0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% * [score: 1.] Was this discussed recently? I added a local score to mollify my sense of propriety.
Re: BAYES_00 BODY. Negative score?
On 2/17/2023 10:41 PM, Loren Wilton wrote: They receive wildly different BAYES scores. * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0002] * 2.2 BAYES_20 BODY: Bayes spam probability is 5 to 20% * [score: 0.0881] This looks like you have per-user Bayes databases, and the messaage type has been trained differently in each. Also, it looks like there are per-user rules, since BAYES_50 has a normal score of 0.2, and there is no reason BAYES_20 (indicating much less spammy) should have a score of 2.2. Per-user is not setup. This morning I sent the message again, with users reversed in the TO: field and the scores are identical. This may prove nothing as I thoughtlessly added the high score message to my "HAM" folder and it was processed. While the scores are identical the X-Spam-Report lists them in different order, while X-Spam-Status shows them identically, "RCVD_IN_MSPIKE_H2 RBL" being listed near the top in one and near the bottom in the other. Perhaps that is meaningless, but it pings my curiosity.
Re: BAYES_00 BODY. Negative score?
On 2/17/2023 3:25 PM, joe a wrote: Did a simple test today sending an email from a gmail account to two email accounts on my system. The only difference was the email address, both were on the same "To:" line in the composed messages. They receive wildly different BAYES scores. -- X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on myserver X-Spam-Level: * X-Spam-Status: No, score=1.1 required=4.9 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, IXHASH_X1,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL autolearn=disabled version=3.4.5 X-Spam-Report: * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0002] -- X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on myserver X-Spam-Flag: YES X-Spam-Level: * X-Spam-Status: Yes, score=5.2 required=4.9 tests=BAYES_20,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, IXHASH_X1,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL autolearn=disabled version=3.4.5 X-Spam-Report: * 2.2 BAYES_20 BODY: Bayes spam probability is 5 to 20% * [score: 0.0881] -- Just another sign of BAYES wackiness? More evidence of need for rebuild?
Re: BAYES_00 BODY. Negative score?
On 2/17/2023 11:44 AM, Martin Gregorie wrote: On Fri, 2023-02-17 at 10:54 -0500, joe a wrote: Could it have been that simple? If, like myself, you find reference books useful, you may want to get a copy of "Linux in a Nutshell" - an O'Reilly book. It tends to assume you know at least one other OS fairly well, is well organised and concise. I've also found "Debian Reference" http://www.debian.org/doc/manuals/debian-reference/ useful for most flavours of Linux (I use Fedora and Raspbian) Martin There was also a "Unix in a Nutshell". I found it amusing, in my NetWare days, to have a copy on my desk and offer it to the Unix-oids that meanered in from time to time, that liked to scoff at "security by obscurity" and those "Puny PC's you call Servers". (That from folks that swore sendmail was forever king and operated the email server as an open relay). A bit of an issue when I offered that the book should be called "Nuts, in a Unix Shell". . . Ah, the memories . . .
Re: BAYES_00 BODY. Negative score?
On 2/17/2023 4:42 AM, Matus UHLAR - fantomas wrote: On 16.02.23 15:57, joe a wrote: Re-energized having recently heroically wrestled an elusive issue (to me) into surrender . . . we now turn to another issue. Probably I need to retrain BAYES "From scratch". I have a mess (years?) of stored sample emails that and be relearned. I understand that sa-learn should be run as the same user as spamd, however I find it has always been run as root and when running as the spamassassin user results in errors, such as: ~su -c "sa-learn --spam /var/mail/spamd/Cabinet.Missed-SPAM" spamfilter results in errors, starting with: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/SpamCop.pm: lib/Mail/SpamAssassin/Plugin/SpamCop.pm: Permission denied at (eval 44) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/AutoLearnThreshold.pm: lib/Mail/SpamAssassin/Plugin/AutoLearnThreshold.pm: Permission denied at (eval 45) line 1. try first changing current working directory into one readable by user "spamfilter", perhaps root (/). Could it have been that simple? Yes, apparently it was. Many thanks. joe a.
Re: BAYES_00 BODY. Negative score?
On 2/17/2023 7:37 AM, Reindl Harald wrote: Am 16.02.23 um 23:34 schrieb joe a: I have no idea what you refer to when you state "don't user proper packages". "Proper" in what sense? A rhetorical question. i have no idea how you installed SA but rpm packages or debs usually have correct permissions Oh, of course. I installed as root initially, being foolish perhaps you *must* install software as root because the service *must not* have write permissions to it's own binary files but did create a specific user "later" and adjusted permissions as needed. Or, so I thought the real question was HOW DID YOU INSTALL it from the first day i maintained production servers i learnt to build my own rpm packages - no matter if it's software written in C, PHP or Perl why? * because you get rid of leftover files over the years * permissions are part of te package * the package manager dectects many conflicts One of the first things I learned when assembling things or attempting to learn something new, is to follow the instructions and only attempt to vary from them once you absolutely understood what your were doing. Or, suffer the consequences along with the (rare) accolades for improving a process. That said, I would never "build my own rpm package" in this context. This is almost entirely a "home/office" system that seems low traffic. So, I installed postfix and spamassassin initially from the OS vendor supplied packages. Over the years I applied updates from outside the OS vendor channel, from packages from "authors" sites, as the versions diverged enough to be a concern. There have been some OS updates as well and at least one transfer from one VM to another. All this appears to be digression, to me, the issue, to me, seems to be why root sees the stuff in this @INC entity differently from how the SA user sees it. With the insights and pointers gained in this thread, I hope to solve that sometime soon.
Re: BAYES_00 BODY. Negative score?
On 2/16/2023 8:28 PM, Matija Nalis wrote: On Thu, Feb 16, 2023 at 05:34:37PM -0500, joe a wrote: Oh, of course. I installed as root initially, being foolish perhaps, but did create a specific user "later" and adjusted permissions as needed. Or, so I thought. well, installing as root (especially with restrictive umask) manually (e.g. "make install" or "cpan" vs. "yum/rpm/dpkg") may often make problems, even if you later switch to packages (you need to look not only at final file permissions, but at directories leading up to it too). namei -l /path/to/file.pm is often helpful to quickly check ALL permissions needed to access file (+x on directories is a must) Permissions are (almost) certainly the issue. Now having the impressive locate/mlocate creature at my command, I might actually make progress. I usually troubleshoot those (if log is insufficient) with: strace -efile -o /tmp/sa.log spamassassin foobar then look at /tmp/sa.log to see which open/stat/access returned -1 EPERM or EACCES error. Then check all path components for that file using "namei -l" (or multiple "ls -ld"). Then try to su to that user and "cat" that file manually. If not regular DAC (chmod/chown) permissions, it might also be SELINUX restrictions or more rarely ACL (getfacl(1)). Well, I am in unfamiliar waters. picking one error message as typical: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/iXhash2.pm: lib/Mail/SpamAssassin/Plugin/iXhash2.pm: Permission denied at (eval 1746) line 1. The file locations shown do not exist, as explicitly as shown. What I find using "locate iXhash2.pm" is: /usr/lib/perl5/vendor_perl/5.26.1/Mail/SpamAssassin/Plugin/iXhash2.pm which the SA user can access, at least see via ll. The others I've checked are also visible, and directories are x (exccutable). The sense I am getting is there is a perl file that contains these paths that is referred to as @INC. I don't have the knowledge at this point to see if, somehow, root sees the files as shown in the error or if the path is somehow altered for the SA user. Thanks for any guidance.
Re: BAYES_00 BODY. Negative score?
. . . it also runs with another environment, so it may miss PATHes or @INC directories. That throws me a curve. What is an @INC directory? SA specific? I do not find any with the locate command, but if the are an actual directory may need to escape the @ sign somehow. \ does not seem to do it. I being to see. It is a perl thing. I knew I should not have left that camel at the oasis.
Re: BAYES_00 BODY. Negative score?
On 2/16/2023 5:32 PM, hg user wrote: On Thu, Feb 16, 2023 at 9:57 PM joe a <mailto:joea-li...@j4computers.com>> wrote: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/SpamCop.pm: lib/Mail/SpamAssassin/Plugin/SpamCop.pm: Permission denied at (eval 44) line 1. root can do anything. a restricted user can't: it's only allowed to do what others allowed it. it also runs with another environment, so it may miss PATHes or @INC directories. That throws me a curve. What is an @INC directory? SA specific? I do not find any with the locate command, but if the are an actual directory may need to escape the @ sign somehow. \ does not seem to do it. You should locate the SpamCop.pm file and list the owner and ACL. This I have done, with no change, even to the point of starting using _R option at /usr/lib/perl5/vendor_perl/5.26.1/Mail As user spamfilter run spamassassin with -D and see in the first lines if you have similar errors. Done that. It is impressively more verbose, but I did not detect any more errors. Also check permission of /var/mail/spamd/Cabinet.Missed-SPAM. I had permission problems trying to sa-learn files owned by root. That I found and fixed some time back. Running with the -D option does produce more, after that list of permission denied items Feb 16 15:55:30.884 [10384] dbg: config: warning: no description set for STOX_REPLY_TYPE_WITHOUT_QUOTES These are not permission errors but warnings about the rules having no text descriptions. It's ok.
Re: BAYES_00 BODY. Negative score?
. . . I have no idea what you refer to when you state "don't user proper packages". "Proper" in what sense? A rhetorical question. i have no idea how you installed SA but rpm packages or debs usually have correct permissions Oh, of course. I installed as root initially, being foolish perhaps, but did create a specific user "later" and adjusted permissions as needed. Or, so I thought. Mlocate is (was) not installed in this particular system but promises to be useful in the future, regardless of your intent. "find" has always been my go to tool. Such as it is. Still it remains to be determined why root user can run sa-learn without error while another whose permissions are more constrained, cannot. And that, regardless of root (!) cause, would seem to be an SA topic because the file permissions are obviously wrong which isn't a SA topic - SA can't do anything when you mess your local permissions Permissions are (almost) certainly the issue. Now having the impressive locate/mlocate creature at my command, I might actually make progress. Thanks for the help.
Re: BAYES_00 BODY. Negative score?
On 2/16/2023 4:30 PM, Reindl Harald wrote: Am 16.02.23 um 21:57 schrieb joe a: I understand that sa-learn should be run as the same user as spamd, however I find it has always been run as root and when running as the spamassassin user results in errors, such as: ~su -c "sa-learn --spam /var/mail/spamd/Cabinet.Missed-SPAM" spamfilter results in errors, starting with: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/SpamCop.pm: lib/Mail/SpamAssassin/Plugin/SpamCop.pm: Permission denied at (eval 44) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/AutoLearnThreshold.pm: lib/Mail/SpamAssassin/Plugin/AutoLearnThreshold.pm: Permission denied at (eval 45) line 1. One might presume this to be a permissions issue (where would I get THAT idea?) but permissions to what? As I cannot seem to find the items mentioned even as root. when you don't use proper packages and even can't update your mlocate database so that "locate SpamAssassin/Plugin/AutoLearnThreshold" that's hardly a SA topic [root@mail-gw:~]$ rpm -q --file /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/AutoLearnThreshold.pm spamassassin-3.4.6-5.fc36.x86_64 [root@mail-gw:~]$ rpm -q --file /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/SpamCop.pm spamassassin-3.4.6-5.fc36.x86_64 I have no idea what you refer to when you state "don't user proper packages". "Proper" in what sense? A rhetorical question. Mlocate is (was) not installed in this particular system but promises to be useful in the future, regardless of your intent. "find" has always been my go to tool. Such as it is. Still it remains to be determined why root user can run sa-learn without error while another whose permissions are more constrained, cannot. And that, regardless of root (!) cause, would seem to be an SA topic.
Re: BAYES_00 BODY. Negative score?
On 2/14/2023 6:09 PM, joe a wrote: Please let this sit for a while, I've discovered a fundamental issue with my scheme of feeding messages to BAYES. Unfortunately I was remiss, apparently, it setting up logging for some bits, so have no idea how long this has been failing. Sorry for the clutter. joe a. Re-energized having recently heroically wrestled an elusive issue (to me) into surrender . . . we now turn to another issue. Probably I need to retrain BAYES "From scratch". I have a mess (years?) of stored sample emails that and be relearned. I understand that sa-learn should be run as the same user as spamd, however I find it has always been run as root and when running as the spamassassin user results in errors, such as: ~su -c "sa-learn --spam /var/mail/spamd/Cabinet.Missed-SPAM" spamfilter results in errors, starting with: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/SpamCop.pm: lib/Mail/SpamAssassin/Plugin/SpamCop.pm: Permission denied at (eval 44) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/AutoLearnThreshold.pm: lib/Mail/SpamAssassin/Plugin/AutoLearnThreshold.pm: Permission denied at (eval 45) line 1. One might presume this to be a permissions issue (where would I get THAT idea?) but permissions to what? As I cannot seem to find the items mentioned even as root. Running with the -D option does produce more, after that list of permission denied items Feb 16 15:55:30.884 [10384] dbg: config: warning: no description set for STOX_REPLY_TYPE_WITHOUT_QUOTES Feb 16 15:55:30.884 [10384] dbg: config: warning: no description set for MSOE_MID_WRONG_CASE Feb 16 15:55:30.884 [10384] dbg: config: warning: no description set for HELO_FRIEND Feb 16 15:55:30.884 [10384] dbg: config: warning: no description set for STOX_AND_PRICE Feb 16 15:55:30.884 [10384] dbg: config: warning: no description set for L_SPAM_TOOL_13 Feb 16 15:55:30.885 [10384] dbg: config: warning: no description set for FSL_FAKE_HOTMAIL_RVCD Means something to someone I guess.
Re: BAYES_00 BODY. Negative score?
Please let this sit for a while, I've discovered a fundamental issue with my scheme of feeding messages to BAYES. Unfortunately I was remiss, apparently, it setting up logging for some bits, so have no idea how long this has been failing. Sorry for the clutter. joe a. On 2/14/2023 5:37 PM, joe a wrote: On 2/14/2023 2:56 AM, Matus UHLAR - fantomas wrote: On 13.02.23 17:42, joe a wrote: Have some annoying SPAM that consistently shows a negative score on BAYES. Is the default scoring or influenced by BAYES in some way? *-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.] This indicates a mistrained database, which means you have trained too many spams or spam-like messages (commercial messages) as ham. Proper training of spams should help. Just keep your spam (and optionally ham) corpora for retraining in case you would drop the database. I also recommend to abstain from training commercial mail (notices from e-shops, companies you done business with etc) as ham, unless they generate BAYES_999 score and you want it lower. I often train them as spam so those give uncertain BAYES_50 result. Those mails resemble spam too much to be used for training. All, The term "proper training" has always seemed a bit problematic to me. That aside, experiencing an error trying attempting: sa-learn -D --spam /var/mail/spamd/Cabinet.saved-spam The last line shows: *** Learned tokens from 0 message(s) (1 message(s) examined) ERROR: the Bayes learn function returned an error, please re-run with -D for more information at /usr/bin/sa-learn line 500. *** Which may be permissions related. However, there seem to be some errors/warning at the beginning, starting with: *** Feb 14 17:26:14.956 [2855] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razo r2 from @INC Feb 14 17:26:14.959 [2855] dbg: razor2: razor2 is not available Feb 14 17:26:14.959 [2855] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/SpamCop.pm: lib/Mail/SpamAssassin/Plugin/SpamCop.pm: Permission denied at (eval 44) line 1. *** While this also suggests a permissions issue the only place I find SpamCom.pm (even as root) is at: "/usr/lib/perl5/vendor_perl/5.26.1/Mail/SpamAssassin/Plugin/SpamCop.pm", which is not in the path sa-learn concocted when invoked. Sorry if the formatting is weird or if this is useless information.
Re: BAYES_00 BODY. Negative score?
On 2/14/2023 2:56 AM, Matus UHLAR - fantomas wrote: On 13.02.23 17:42, joe a wrote: Have some annoying SPAM that consistently shows a negative score on BAYES. Is the default scoring or influenced by BAYES in some way? *-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.] This indicates a mistrained database, which means you have trained too many spams or spam-like messages (commercial messages) as ham. Proper training of spams should help. Just keep your spam (and optionally ham) corpora for retraining in case you would drop the database. I also recommend to abstain from training commercial mail (notices from e-shops, companies you done business with etc) as ham, unless they generate BAYES_999 score and you want it lower. I often train them as spam so those give uncertain BAYES_50 result. Those mails resemble spam too much to be used for training. All, The term "proper training" has always seemed a bit problematic to me. That aside, experiencing an error trying attempting: sa-learn -D --spam /var/mail/spamd/Cabinet.saved-spam The last line shows: *** Learned tokens from 0 message(s) (1 message(s) examined) ERROR: the Bayes learn function returned an error, please re-run with -D for more information at /usr/bin/sa-learn line 500. *** Which may be permissions related. However, there seem to be some errors/warning at the beginning, starting with: *** Feb 14 17:26:14.956 [2855] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razo r2 from @INC Feb 14 17:26:14.959 [2855] dbg: razor2: razor2 is not available Feb 14 17:26:14.959 [2855] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/SpamCop.pm: lib/Mail/SpamAssassin/Plugin/SpamCop.pm: Permission denied at (eval 44) line 1. *** While this also suggests a permissions issue the only place I find SpamCom.pm (even as root) is at: "/usr/lib/perl5/vendor_perl/5.26.1/Mail/SpamAssassin/Plugin/SpamCop.pm", which is not in the path sa-learn concocted when invoked. Sorry if the formatting is weird or if this is useless information.
Re: BAYES_00 BODY. Negative score?
On 2/13/2023 5:51 PM, Benny Pedersen wrote: joe a skrev den 2023-02-13 23:42: Have some annoying SPAM that consistently shows a negative score on . . . time to upgrade imho :=) . . . And, yes, I should upgrade.
Re: BAYES_00 BODY. Negative score?
On 2/13/2023 5:51 PM, Benny Pedersen wrote: joe a skrev den 2023-02-13 23:42: Have some annoying SPAM that consistently shows a negative score on BAYES. Is the default scoring or influenced by BAYES in some way? *-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.] SpamAssassin 3.4.5 time to upgrade imho :=) or train bayes to know what is spam or not spam, if it fails turn off autolearn, make a burdon what is autolearned in local.cf bayes_auto_learn_threshold_nonspam n.nn (default: 0.1) The score threshold below which a mail has to score, to be fed into SpamAssassin's learning systems automatically as a non-spam message. bayes_auto_learn_threshold_spam n.nn (default: 12.0) The score threshold above which a mail has to score, to be fed into SpamAssassin's learning systems automatically as a spam message. i have changed scores on this 2 :) now i dont need manuely training above is a plugin that need to be enabled for this to work remember to do a spamassassin --lint on changes of config files So, what did you change them to, may I ask? Not sure I really understand those limits. In any case, I feed new SPAM and HAM into BAYES twice a day. via scripts, etc. so I really should have autolearn off, yes? Maybe I need to retrain BAYES? IIRC last time took "a long time".
BAYES_00 BODY. Negative score?
Have some annoying SPAM that consistently shows a negative score on BAYES. Is the default scoring or influenced by BAYES in some way? *-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.] SpamAssassin 3.4.5 Thanks for any pointers.
Re: excluding specific RBL checks
On 1/9/2023 3:55 AM, Matus UHLAR - fantomas wrote: Until I can get around to updating I'm considering just nuking the actual tests from the ruleset. Much easier and reliable way: dns_query_restriction deny spamhaus.org Charles Sprickman skrev den 2023-01-09 08:04: Trying this on half the pair, I assume this hits all subdomains of spamhaus.org? Never ran into that parameter in my searches for this. On 09.01.23 09:26, Benny Pedersen wrote: never read perldoc Mail::SpamAssassin::Conf ? some people don't repeatedly read it thorough. Henrik forgot this is pr domain, so fully domain including subdomain seen in "rndc querylog" in bind logs ! spamassassin -D -t spamtestmsg 2>&1 | less dns_query_restriction deny dwl.dnswl.org list.dnswl.org dns_query_restriction deny multi.uribl.com imho score foo 0 is a bug no, it's documented feature - rules with score 0 are not run. However, joe a aka the OP should be more interested in finding out why are his DNS queries going through an open resolver and fixing the real issue. Right you are. It now appears resolved (cough, cough . . .). Spamhaus site provided this quick test: "dig 2.0.0.127.zen.spamhaus.org +short" which with variant "dig @my.local.dns.serv 2.0.0.127.zen.spamhaus.org +short", allowed me to pretty quickly sort it out. A lot of cobwebs needed to be cleared out, but, seems to be working as advertised. Thanks to all for their patience and suggestions. joe a.
Re: excluding specific RBL checks
On 1/8/2023 10:35 PM, Henrik K wrote: On Sun, Jan 08, 2023 at 04:23:11PM -0500, Charles Sprickman wrote: . . . # remove spamhaus tests,. . . score RCVD_IN_SBL 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 score URIBL_SBL 0 score URIBL_CSS 0 score URIBL_SBL_A 0. . . Much easier and reliable way: dns_query_restriction deny spamhaus.org Ah Hah! Seems to work for me. See? I CAN be taught! joe a.
Re: excluding specific RBL checks
On 1/8/2023 4:38 PM, Benny Pedersen wrote: joe a skrev den 2023-01-08 21:50: SA version 3.4.5 Gears are clashing, clutch is slipping, among other things. Trying to exclude certain checks, via spamhouse services "by the book" what book ? The good one? Several places. Most looked like cut and paste from each other. Trying to find the exact place now and cannot. Saw it most recently on another list, where others happened to be having similar dns issues. When placing these values in local.cf: RCVD_IN_ZEN 0 RCVD_IN_XBL 0 RCVD_IN_PBL 0 "spamassassin --lint" complains. Yet SA starts without complaint and seems to not run those tests. you miss score in 3 lines ? Yep. Placing "score" at the beginning of the line makes lint happy and SA seems to start fine and also does not run those tests. so lint passed ? Yes, with score. So, one assumes it is a typo in the docs, or, one is expected to infer the "score" word. what docs ? anythin on web is fake news, only valid docs is perldoc Mail::SpamAssassin::Conf I only know of https://spamassassin.apache.org/full/3.4.x/doc/ which I though I was referencing. Seems likely I just allowed myself to be misled, "chaff". and all related plugins Yet I still see this while "skip_rbl_checks 1" (in both above scenarios): clear your config :) "RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE:" Which suggests that one runs despite the directive or, I am using the wrong one. make /etc/resolv.conf only have nameserver 127.0.0.1 and you ether have bind, unbound, pdns-recursor as of your own choise Certainly worth a try and much simpler that what I was trying. still problems ?, lets hear them
Re: excluding specific RBL checks
On 1/8/2023 4:23 PM, Charles Sprickman wrote: What did you end up with? score RCVD_IN_ZEN_BLOCKED_OPENDNS 0 I am not certain if that stops the test or simply reporting of the message. Looks like I will need to do some packet capture after all. I have a bunch of zero rules for these yet still keep getting the "administrative notice" from sbl/zen. The fact that those guys don't just send out a "yes, this is on by default in spamassassin, here is copy pasta to turn us off" email bugs me. I've grown to this huge list and still get the warnings. # remove spamhaus tests, they want us to pay # need to include the first base rule or DNS still triggers but is ignored score __RCVD_IN_ZEN 0 Is that a typo? There should be no underscore before RCVD, correct? score RCVD_IN_SBL 0 score RCVD_IN_XBL 0 score RCVD_IN_PBL 0 score URIBL_SBL 0 score URIBL_CSS 0 score URIBL_SBL_A 0 score URIBL_CSS_A 0 score URIBL_DBL_SPAM 0 score URIBL_DBL_PHISH 0 score URIBL_DBL_MALWARE 0 score URIBL_DBL_BOTNETCC 0 score URIBL_DBL_ABUSE_SPAM 0 score URIBL_DBL_ABUSE_REDIR 0 score URIBL_DBL_ABUSE_PHISH 0 score URIBL_DBL_ABUSE_MALW 0 score URIBL_DBL_ABUSE_BOTCC 0 Until I can get around to updating I'm considering just nuking the actual tests from the ruleset. Charles
Re: excluding specific RBL checks
On 1/8/2023 4:00 PM, joe a wrote: On 1/8/2023 3:50 PM, joe a wrote: SA version 3.4.5 Gears are clashing, clutch is slipping, among other things. Trying to exclude certain checks, via spamhouse services "by the book" When placing these values in local.cf: RCVD_IN_ZEN 0 RCVD_IN_XBL 0 RCVD_IN_PBL 0 "spamassassin --lint" complains. Yet SA starts without complaint and seems to not run those tests. Placing "score" at the beginning of the line makes lint happy and SA seems to start fine and also does not run those tests. So, one assumes it is a typo in the docs, or, one is expected to infer the "score" word. Yet I still see this while "skip_rbl_checks 1" (in both above scenarios): "RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE:" Which suggests that one runs despite the directive or, I am using the wrong one. And the answer to the latter is "I had the wrong directive". Which is obvious. Now. Correcting myself, yet again, "score" needs to be specified, it seems, otherwise this is seen in /var/log/mail: 2023-01-08T15:00:42.854109-05:00 auxilary spamd[14937]: config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": RCVD_IN_ZEN 0 2023-01-08T15:00:42.854573-05:00 auxilary spamd[14937]: config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": RCVD_IN_XBL 0 2023-01-08T15:00:42.854908-05:00 auxilary spamd[14937]: config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": RCVD_IN_PBL 0 Contrary to some, there is value in following logs when making changes. who'd have thought that.
Re: excluding specific RBL checks
On 1/8/2023 3:50 PM, joe a wrote: SA version 3.4.5 Gears are clashing, clutch is slipping, among other things. Trying to exclude certain checks, via spamhouse services "by the book" When placing these values in local.cf: RCVD_IN_ZEN 0 RCVD_IN_XBL 0 RCVD_IN_PBL 0 "spamassassin --lint" complains. Yet SA starts without complaint and seems to not run those tests. Placing "score" at the beginning of the line makes lint happy and SA seems to start fine and also does not run those tests. So, one assumes it is a typo in the docs, or, one is expected to infer the "score" word. Yet I still see this while "skip_rbl_checks 1" (in both above scenarios): "RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE:" Which suggests that one runs despite the directive or, I am using the wrong one. And the answer to the latter is "I had the wrong directive". Which is obvious. Now.
excluding specific RBL checks
SA version 3.4.5 Gears are clashing, clutch is slipping, among other things. Trying to exclude certain checks, via spamhouse services "by the book" When placing these values in local.cf: RCVD_IN_ZEN 0 RCVD_IN_XBL 0 RCVD_IN_PBL 0 "spamassassin --lint" complains. Yet SA starts without complaint and seems to not run those tests. Placing "score" at the beginning of the line makes lint happy and SA seems to start fine and also does not run those tests. So, one assumes it is a typo in the docs, or, one is expected to infer the "score" word. Yet I still see this while "skip_rbl_checks 1" (in both above scenarios): "RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE:" Which suggests that one runs despite the directive or, I am using the wrong one.
Re: Refused by block lists
On 1/8/2023 2:08 PM, Martin Gregorie wrote: On 07.01.23 14:06, joe a wrote: Pretty sure. Or, I was. Ran various tests with unbound running and not running confirmed it was working, at least providing a response. Thats pretty simple to check, provided you've got Wireshark installed: Fire it up and tell it to watch for DNS and/or blacklist lookup traffic on the appropriate ports. Then feed known spam to SA. Wireshark will show you if spam is causing external lookup requests to be generated, where they are being sent, and what replies are being received Martin Earlier I was going to do something like that, but at the firewall/router link to the cable modem. I wanted to be sure the "source IP" was the site static IP. A separate discussion uncovered I may have to register that IP with spamhaus.org. Registered years ago and stopped using it. Just now dawned that provider mergers cause my static IP's to change a few years back. Almost every day I pass a "beef farmer" whose ponds and field teem with Canadian Geese. Perhaps that should have been an omen?
Re: Refused by block lists
On 1/8/2023 12:36 PM, Matus UHLAR - fantomas wrote: On 07.01.23 12:03, joe a wrote: Thanks. I think I actually got unbound working but still was getting URIBL rejects from spamhaus. On 1/7/2023 1:25 PM, Matus UHLAR - fantomas wrote: - do you actually use that unbound server? is 127.0.0.1 in /etc/resolv.conf? On 07.01.23 14:06, joe a wrote: Pretty sure. Or, I was. Ran various tests with unbound running and not running confirmed it was working, at least providing a response. providing answer to my second question would spare you from guessing. 127.0.0.1 is not in /etc/resolv.conf. I labor under the impression that telling unbound to accept query only on one IP and telling SA in local.cf "dns_server th.at.addr.ess" would cause it to use unbound.
Re: Refused by block lists
On 1/7/2023 12:16 PM, Benny Pedersen wrote: joe a skrev den 2023-01-07 18:03: That will give me some time to review how to disable specific checks, such as dnswl.org which caused a score of -5.0 for some obviously spammy stuff. please report spam https://www.dnswl.org/?page_id=17 especily for dnswl hi I'll give it a try. When I looked at dnswl.org the last updated comment seemed to be from 2017, so I kind of wrote it off as being unmaintained. But, what do I know?
Re: Refused by block lists
On 1/7/2023 1:25 PM, Matus UHLAR - fantomas wrote: On 1/7/2023 9:06 AM, Matus UHLAR - fantomas wrote: https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists Q: My queries to a DNS-blocklist were blocked. What does this mean? ... Resolving the block might be as simple as using your own non-forwarding caching nameserver https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver On 07.01.23 12:03, joe a wrote: Thanks. I think I actually got unbound working but still was getting URIBL rejects from spamhaus. - do you actually use that unbound server? is 127.0.0.1 in /etc/resolv.conf? Pretty sure. Or, I was. Ran various tests with unbound running and not running confirmed it was working, at least providing a response. SA I told to use unbound via local.cf as well. Right now unbound is disabled and DNS is via "my old way". - doesn't unbound forward queries to other (isp, open) resolvers? Not certain. The docs/examples seemed a bit sparse suggesting it does and exceptions needed to be specified for spamhaus (for example) but did not provide examples of how to do that. Some folks elsewhere seemed to suggest it would "just work". Likely I need to learn how to configure it properly?
Re: Refused by block lists
On 1/7/2023 9:06 AM, Matus UHLAR - fantomas wrote: On Fri, 6 Jan 2023, joe a wrote: Attempting to utilize the various block lists and find rejection messages in mail headers "blocked due to usage of an open resolver". On 06.01.23 09:49, John Hardin wrote: Are you forwarding your SpamAssassin DNS queries to your ISP or (e.g.) Google? Best practice is to set up a local, non-forwarding (potentially non-forwarding only for the DNSBL domains, see my email from a week or so back) DNS server for your MTA and SpamAssassin to use (potentially your entire local network as well, but that's not relevant to your question). DNSBL providers generally don't like requests from public DNS servers as they aggregate a lot of requests from a lot of sources. https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists Q: My queries to a DNS-blocklist were blocked. What does this mean? ... Resolving the block might be as simple as using your own non-forwarding caching nameserver https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver Thanks. I think I actually got unbound working but still was getting URIBL rejects from spamhaus. I've disabled queries for now and will try again in a few days, thinking the "free use" limits may have been tripped. That will give me some time to review how to disable specific checks, such as dnswl.org which caused a score of -5.0 for some obviously spammy stuff.
Re: Refused by block lists
On 1/6/2023 12:49 PM, John Hardin wrote: On Fri, 6 Jan 2023, joe a wrote: . .. I think you're getting distracted by the word "resolve" there... This sounds like a DNS issue. Agree it is likely a DNS issue. Apparently one I do not yet grasp. Is there an online tool to which I can make a DNS query and have it display what it receives? Trying to avoid having to packet sniff my outbound traffic. I have captured DNS queries via the firewall log/filters, but would like to verify.
Re: Refused by block lists
On 1/6/2023 12:15 PM, Kevin A. McGrail wrote: My interpretation is thus: You have a firewall with a public IP and an private IP You have a box with email behind that firewall. When it talks to the world, it should do helo that maps back to your Firewall's public IP not to a private RFC1918 address. Regards,KAM Make sense to me. So I guess my real question is, how do I cause spamassassin to make it's query in that fashion? Since the wiki stated it in a way that suggests it is a spamassassin feature, I presume to ask here and not look at the firewall or elsewhere.
Refused by block lists
Attempting to utilize the various block lists and find rejection messages in mail headers "blocked due to usage of an open resolver". One of many things puzzling me at the moment is something found in the related Wiki that states "A: Third, if your email gateway is behind a firewall make sure that SpamAssassin is resolving the gateway to its external address." I brazenly confess I have no idea how to check this (or what it means, in this context). Figured I should sort out that puzzlement before attempting to install and configure "unbound" for example.
Re: local rule exclude all domains except "my list of approved"
On 1/5/2023 3:24 AM, Loren Wilton wrote: You can simplify your rule code a little if you want: header __LOCAL_FROM_BE From =~ /.\.beauty/i meta LOCAL_BE (__LOCAL_FROM_BE) score LOCAL_BE 2 describe LOCAL_BE from beauty domain to header LOCAL_BE From =~ /.\.beauty/i score LOCAL_BE 2 describe LOCAL_BE from beauty domain The meta isn't really doing anything there, since it only has a single clause. Metas are good when you want to combine the results of several matches with boolean logic. You might also want to add a \b to the rule: header LOCAL_BE From =~ /.\.beauty\b/i Without that the rule will match ".beauty", but also ".beautyrest". Another thing you might want to consider is using "From:addr" rather than just "From". As it is, it will match ".beauty" both in the address and in the person's name description. So it would match: From: "janice.beautyfull" Maybe you want that, in wihich a bare "From" is fine. Ah. Thanks.
local rule exclude all domains except "my list of approved"
As an increasing amount of SPAM from "boutique" domains began slipping through, I resorted assuring they are marked as SPAM by adding custom rules when sufficiently annoyed. The local rules take this form (thanks to whoever provided the "template" for this): header __LOCAL_FROM_BE From =~ /.\.beauty/i meta LOCAL_BE (__LOCAL_FROM_BE) score LOCAL_BE 2 describe LOCAL_BE from beauty domain Initially I thought it might be fun to create a "match everything except what I list in this rule", so will search the Camel book, to learn or refresh. But, likely someone has already done this, or, there is a simpler way already devised, hence the post. I do not want to block these outright, say at the firewall or Postfix level, just simply flagged as SPAM, as some of these might deserve review at least for entertainment value.
Re: spamd config error
On 1/2/2023 4:27 PM, Bill Cole wrote: On 2023-01-02 at 16:18:53 UTC-0500 (Mon, 2 Jan 2023 16:18:53 -0500) joe a is rumored to have said: On 1/2/2023 4:01 PM, joe a wrote: On 1/2/2023 2:49 PM, joe a wrote: Noticed this line in /var/log/mail: spamd[31188]: config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": Mail::SpamAssassin::Plugin::URIDNSBL It seems to have started a few weeks ago and does not appear to be related to the date of any deliberate changes on my part. Small home office system. My skills are a bit stale, so any assistance is gladly accepted. It appears to be related to this line in local.cf: Mail::SpamAssassin::Plugin::URIDNSBL When I comment that out and restart spamd, the error no longer appears. It appears OK, but perhaps my eyes are cheated by some spell? Wow. It appears you actually have to state "loadplugin". Yes. As documented. :) You should not need to load that plugin in local.cf. It is loaded by default in init.pre. Good to know. I found the docs difficult to follow, initially, and just now, having not looked at them for a good while. 15 minute retraining window, you know. Age is a cruel mistress. Anyway, it is in init.pre as you say and I just confirmed it is not needed in local.cf. Not implying any lack of faith you understand .
Re: spamd config error
On 1/2/2023 4:01 PM, joe a wrote: On 1/2/2023 2:49 PM, joe a wrote: Noticed this line in /var/log/mail: spamd[31188]: config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": Mail::SpamAssassin::Plugin::URIDNSBL It seems to have started a few weeks ago and does not appear to be related to the date of any deliberate changes on my part. Small home office system. My skills are a bit stale, so any assistance is gladly accepted. It appears to be related to this line in local.cf: Mail::SpamAssassin::Plugin::URIDNSBL When I comment that out and restart spamd, the error no longer appears. It appears OK, but perhaps my eyes are cheated by some spell? Wow. It appears you actually have to state "loadplugin". A great way to start a new year.
Re: spamd config error
On 1/2/2023 2:49 PM, joe a wrote: Noticed this line in /var/log/mail: spamd[31188]: config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": Mail::SpamAssassin::Plugin::URIDNSBL It seems to have started a few weeks ago and does not appear to be related to the date of any deliberate changes on my part. Small home office system. My skills are a bit stale, so any assistance is gladly accepted. It appears to be related to this line in local.cf: Mail::SpamAssassin::Plugin::URIDNSBL When I comment that out and restart spamd, the error no longer appears. It appears OK, but perhaps my eyes are cheated by some spell?
spamd config error
Noticed this line in /var/log/mail: spamd[31188]: config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": Mail::SpamAssassin::Plugin::URIDNSBL It seems to have started a few weeks ago and does not appear to be related to the date of any deliberate changes on my part. Small home office system. My skills are a bit stale, so any assistance is gladly accepted.
Re: subscribe to blacklist for domains
I am far from an anti SPAM expert, but: On 8/13/2022 4:52 PM, Vincent Lefevre wrote: On 2022-08-13 14:05:43 -0400, joe a wrote: On 8/13/2022 12:38 PM, Martin Gregorie wrote: . . . 2) There's no mandatory need to REJECT spam. It has always been up to the recipient to decide whether to return it to the sender or not. Agreed in part. I see returning SPAM to sender as an exercise in futility or perhaps further enabling. But I do prefer labeling as SPAM to outright rejection in many cases. Rejecting mail (instead of accepting it and dropping it) is useful in case of false positives. That may be so and of use to a legitimate sender that actually cares about such things. A true SPAM'er could not care less. 3) It would be rather trivial to return spam to sender with a suitable admonishment but I decided that its not worth my time to write such a discriminator and maintain yet another set of rules about what gets quarantined and what gets returned: better to quarantine it so it can be analysed with the mk 1 eyeball. To add my comment, returning SPAM, assuming it even reaches the original sender, may serve only to assure them of the effectiveness of their campaign to reach valid addresses. In effect "helping" them. Well, if you don't reject the mail with the reason that the address is invalid, the spammer could deduce that the address is valid (at least potentially valid). By not rejecting spam, the spammer could think that the spam arrived at its destination and would validate the address. Rejecting mail for an invalid recipient was not my concern. In the case of an invalid email address is certainly proper to inform the sender of that fact. I could even agree that informing senders of "false positives" is useful as well, but doing that via a "REJECT" would seem burdensome. REJECT-ing email that is flagged by one of the DNS RBL thingies still seems to me to be wasted effort and possibly counter productive. Why waste your own system resources to help a scoundrel? Drop them and be done. joe a.
Re: subscribe to blacklist for domains
I'll be sure to look this over well to see what I can use or adapt, thanks. On 8/13/2022 11:04 AM, Reindl Harald wrote: Am 13.08.22 um 16:21 schrieb joe a: Ah, thanks for describing that. I am somewhat more brain fogged than usual this morning, so am uncertain any of those would work in this configuration. But I certainly need to look deeper. At least into my coffee mug. This is a low volume system consisting of postfix, SA, clamav and fetchmail. The mailserver (postfix) is not exposed to the internet, mail traffic is sent to it by "fetchmail", which itself goes out to several providers where mail accounts reside. My first thought was, the postfix stuff would work, because . . . then I realized, I've not looked at those solutions for some time, if ever. So, I should stop here and look them over. However, any real world "we did that" exists, please let me know if 8 years in production is enough for you look below and keep in mind that this is for a inbound-only server and must not be applied to submission postscreen_bare_newline_enable = no postscreen_bare_newline_action = enforce postscreen_pipelining_enable = no postscreen_pipelining_action = enforce postscreen_non_smtp_command_enable = no postscreen_non_smtp_command_action = enforce postscreen_dnsbl_min_ttl = 30s postscreen_dnsbl_max_ttl = 30s postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_greet_wait = 10 postscreen_dnsbl_sites = dnsbl.sorbs.net=127.0.0.10*9 dnsbl.sorbs.net=127.0.0.14*9 zen.spamhaus.org=127.0.0.[10;11]*8 dnsbl.sorbs.net=127.0.0.5*7 zen.spamhaus.org=127.0.0.[4..7]*7 b.barracudacentral.org=127.0.0.2*7 zen.spamhaus.org=127.0.0.3*7 dnsbl.inps.de=127.0.0.2*7 hostkarma.junkemailfilter.com=127.0.0.2*4 dnsbl.sorbs.net=127.0.0.7*4 bl.spameatingmonkey.net=127.0.0.[2;3]*4 dnsrbl.swinog.ch=127.0.0.3*4 ix.dnsbl.manitu.net=127.0.0.2*4 psbl.surriel.com=127.0.0.2*4 bl.spamcop.net=127.0.0.2*4 bl.mailspike.net=127.0.0.[10;11;12]*4 bl.mailspike.net=127.0.0.2*4 zen.spamhaus.org=127.0.0.2*3 dnsbl.sorbs.net=127.0.0.6*3 dnsbl.sorbs.net=127.0.0.8*2 hostkarma.junkemailfilter.com=127.0.0.4*2 dnsbl.sorbs.net=127.0.0.9*2 dnsbl-1.uceprotect.net=127.0.0.2*2 all.spamrats.com=127.0.0.38*2 bl.nszones.com=127.0.0.[2;3]*1 dnsbl-2.uceprotect.net=127.0.0.2*1 dnsbl.sorbs.net=127.0.0.2*1 dnsbl.sorbs.net=127.0.0.4*1 dnsbl.sorbs.net=127.0.0.3*1 hostkarma.junkemailfilter.com=127.0.1.2*1 dnsbl.sorbs.net=127.0.0.15*1 ips.backscatterer.org=127.0.0.2*1 bl.nszones.com=127.0.0.5*-1 wl.mailspike.net=127.0.0.[18;19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-2 ips.whitelisted.org=127.0.0.2*-2 list.dnswl.org=127.0.[0..255].0*-2 dnswl.inps.de=127.0.[0;1].[2..10]*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5
Re: subscribe to blacklist for domains
On 8/13/2022 12:38 PM, Martin Gregorie wrote: . . . 2) There's no mandatory need to REJECT spam. It has always been up to the recipient to decide whether to return it to the sender or not. Agreed in part. I see returning SPAM to sender as an exercise in futility or perhaps further enabling. But I do prefer labeling as SPAM to outright rejection in many cases. 3) It would be rather trivial to return spam to sender with a suitable admonishment but I decided that its not worth my time to write such a discriminator and maintain yet another set of rules about what gets quarantined and what gets returned: better to quarantine it so it can be analysed with the mk 1 eyeball. Martin To add my comment, returning SPAM, assuming it even reaches the original sender, may serve only to assure them of the effectiveness of their campaign to reach valid addresses. In effect "helping" them. Opinions vary, of course.
Re: subscribe to blacklist for domains
And, of course, I must edit my last reply: On 8/13/2022 10:21 AM, joe a wrote: My first thought was, the postfix stuff would work, because . . . My first thought was, the postfix stuff would NOT work, because . . .
Re: subscribe to blacklist for domains
Ah, thanks for describing that. I am somewhat more brain fogged than usual this morning, so am uncertain any of those would work in this configuration. But I certainly need to look deeper. At least into my coffee mug. This is a low volume system consisting of postfix, SA, clamav and fetchmail. The mailserver (postfix) is not exposed to the internet, mail traffic is sent to it by "fetchmail", which itself goes out to several providers where mail accounts reside. My first thought was, the postfix stuff would work, because . . . then I realized, I've not looked at those solutions for some time, if ever. So, I should stop here and look them over. However, any real world "we did that" exists, please let me know. joe a. On 8/13/2022 9:52 AM, Bert Van de Poel wrote: I think what Noel is referring to is Postfix configuration like this for example: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_non_fqdn_recipient, reject_unknown_recipient_domain Notice the spamhaus links for different blocklist settings. On 13/08/2022 15:38, joe a wrote: On 8/12/2022 11:43 PM, Noel Butler wrote: Why are you not blocking with blacklists at the border, ie: MTA. I'm not familiar with how to do that or if it can be done. Since SA offers this functionality, so did not even consider that. I'll look into it. Given its 0 resources for your MTA, with anti spam checking on SA often using significant resources (depending on traffic/number of tests/rules etc), its best to stop it getting to SA in the first place. SA also has this by-default list of domains that it never checks, for along time I have disagreed with this, we are the ones to decide who gets whitelisted not SA, not some paid third party, the option clear_uridnsbl_skip_domain however prevents this, but then you have to locate and 0 all the general rulesets scores that are whitelists as well. The configuration/usage of those lists causes me great frustration. Semi retirement and infrequent "tech stuff" may be partly to blame.
Re: subscribe to blacklist for domains
On 8/12/2022 11:43 PM, Noel Butler wrote: Why are you not blocking with blacklists at the border, ie: MTA. I'm not familiar with how to do that or if it can be done. Since SA offers this functionality, so did not even consider that. I'll look into it. Given its 0 resources for your MTA, with anti spam checking on SA often using significant resources (depending on traffic/number of tests/rules etc), its best to stop it getting to SA in the first place. SA also has this by-default list of domains that it never checks, for along time I have disagreed with this, we are the ones to decide who gets whitelisted not SA, not some paid third party, the option clear_uridnsbl_skip_domain however prevents this, but then you have to locate and 0 all the general rulesets scores that are whitelists as well. The configuration/usage of those lists causes me great frustration. Semi retirement and infrequent "tech stuff" may be partly to blame.
subscribe to blacklist for domains
I need to refresh my brain on using blacklists with SA, before looking more deeply into why this got through. Today a email slipped through with a very low score that was clearly phishy. A url in question, posing as another, hits no less that 6 blacklists. I was going to look at clamav that is in use here, as I had just been tuning that a bit and realized that that may be using a hammer to drive a screw. so to speak. Or are they passe these days?
OT - logrotate size parameter
This is OT, but perhaps someone here knows. In the context of the logrotate conf file, what does the + sign indicate when used as a prefix size directive? Example: "size +4096k" Some conf files have it, some don't. Man pages do not mention it AFAICT and the internet is rather seems to ignore it.
Re: Hits on item with " No description available"
> On 2022-01-20 at 16:21:40 UTC-0500 (Thu, 20 Jan 2022 16:21:40 -0500) > Joe Acquisto-j4 > is rumored to have said: > . . . . . > To figure out what matched, you'll need to check a message with the > "rules" debug channel on: > > spamassassin -t -D rules < suspect.eml > > HOWEVER: In looking at your message, I'm 99.9% sure that what matched > was a Received header recording a client calling itself simply 'mail' > using an RFC1918 IP address which is also constructing a Message-Id > using just 'mail' as the hostname part. Whatever that machine is, it > should be using a FQDN instead of a bare hostname. Also, you could (and > probably should) add that machine to your internal_networks setting, > since an RFC1918 address is pretty much the definition of internal. > > > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire Thanks for the debug tip. I've meant to fix that "mail" issue for some time. guess now is as good as any. Anyway the original whine has been resolved. joe a.
Re: Hits on item with " No description available"
>>>> >> On 2022-01-20 15:47, Joe Acquisto-j4 wrote: >> X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) >> >> old version >> >>> * 1.8 FSL_HELO_NON_FQDN_1 No description available >> >> have you configured internal_networks, trusted_networks ? > > Yes, keeping up to date is not my strong suit. Or perhaps any other. > > I did configure them, but may have buggered them up while messing > around. But, a-hunting we will go. > > joe a. And, just like that . . . trusted_networks was missing one of the IP used on the machine. internal_networks was not. Odd. I don't recall doing that. Hopefully I have only been pwned and this is not an indication of diminishing mental capa . . cap... err , , stuff. Thanks to all for the tolerant assistance. joe a.
Re: Hits on item with " No description available"
>>> > On 2022-01-20 15:47, Joe Acquisto-j4 wrote: > >> X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) > > old version > >> * 1.8 FSL_HELO_NON_FQDN_1 No description available > > have you configured internal_networks, trusted_networks ? Yes, keeping up to date is not my strong suit. Or perhaps any other. I did configure them, but may have buggered them up while messing around. But, a-hunting we will go. joe a.
Re: Hits on item with " No description available"
> I followed my own advice about egrep -R and found this immediately > > it's in > > 3.004006/updates_spamassassin_org/72_active.cf > > and it is > > ##{ FSL_HELO_NON_FQDN_1 > header FSL_HELO_NON_FQDN_1 X-Spam-Relays-External =~ /^[^\]]+ > helo=[a-zA-Z0-9-_]+ /i > ##} FSL_HELO_NON_FQDN_1 > > with score > > score FSL_HELO_NON_FQDN_1 2.361 0.001 1.783 0.001 No 3.004006 around here, but with your hints I did find location of the rules set and found the rules in a couple of earlier files. Thanks.
Re: Hits on item with " No description available"
> > Am 20.01.22 um 15:47 schrieb Joe Acquisto-j4: >> Where can I get some idea of what the rule below actually checks for? I > noticed some normally passed email was flagged as SPAM. >> >> Started seeing it sometime after making some configuration changes to local > settings on postfix, attempting to isolate a "bug". But before reverting > them all, or one at a time, I'd rather have a clue. Semi-informed hacking > about can be problematic. >> >> X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) >> >> * 1.8 FSL_HELO_NON_FQDN_1 No description available > > in most cases by read the name with common sense > > HELO: should be known what it is > NON: none should be clear > FQDN: should be known what it is > > the description would be something like "HELO with no full qualified > domain name" and won't help you either if you don't know that standard > things when it comes to email > > the FSL_ prefix is as usual a shortname of the guy who wrote the rule I would still like to examine that rule, but have not found it despite some effort to do so. Are they in "plain text" file or obfuscated/indexed in some manner? Doing a text search across the system might take time, but is a wasted effort if not in plain text. Reason is, I do not see anything that should trigger this rule, based on the suggestions. Even reverted a couple of setting, see them reflected in headers, but it still triggers. So, I am missing something. joe a.
Hits on item with " No description available"
Where can I get some idea of what the rule below actually checks for? I noticed some normally passed email was flagged as SPAM. Started seeing it sometime after making some configuration changes to local settings on postfix, attempting to isolate a "bug". But before reverting them all, or one at a time, I'd rather have a clue. Semi-informed hacking about can be problematic. X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) * 1.8 FSL_HELO_NON_FQDN_1 No description available Thanks joe a.
Re: SPAM scanned twice
I just forgot how email works, it seems. It just now struck me it is not be rescanned at all, but merely has the information posted again, so it appears as part of the "new message"? I thought it odd the SPAM scores were identical. That should have been the first clue x four. But, no . . . In the words of Lt. Commander Data, I was "chasing an untamed ornithoid without cause". Perhaps sheepishly yours . . . . joe a. > On Monday 12 July 2021 at 20:07:16, Joe Acquisto-j4 wrote: > >> SpamAssassin 3.4.5 (2021-03-20) on Suse Leap 15.2 (their distro IIRC) >> >> Noticed that mail marked as SPAM was scanned again by SA after it had been >> "disposed" as an attachment. >> >> I uncommented "report_safe 0" and did a restart of SA. Next SPAM came >> through as a normal email, still marked as SPAM and only scanned once. > > I think we'd need to know a bit more about how you have SpamAssassin > connected > in with your MTA, and what your delivery paths are, to be able to comment > usefully. > > > Antony > > -- > GIT/E d- s+:--(-) a+ C$(---) UL$ P+(---)>++ L+++()$ !E W(-) N(-) > o? w--(---) O !M V+++(--) !PS !PE Y+ PGP+> t- !tv@ b+++ DI++ D--- e+++(*) h++ > 5? !X- !R K--? G- > >Please reply to the list; > please *don't* CC > me.
SPAM scanned twice
SpamAssassin 3.4.5 (2021-03-20) on Suse Leap 15.2 (their distro IIRC) Noticed that mail marked as SPAM was scanned again by SA after it had been "disposed" as an attachment. I uncommented "report_safe 0" and did a restart of SA. Next SPAM came through as a normal email, still marked as SPAM and only scanned once. Don't recall seeing that behavior mentioned anywhere and wondering if it is "working as designed"?
Re: number in sender name
Thanks for all the solutions and suggestions. joe a. > Anyone have a regex example handy that can detect any number of digits before > @ sign? > Not a regex maven at all. What searching I did on this topic just served to > kick the bee hive. > > Perhaps memory fails, but was there not, once, a standard rule that >>> detected non alpha characters in >> sender name? The domain/provider is not of interest for this question. >> >> I think there was, but I suspect that the spam/ham ratio would be about >> even, which is probably why it doesn't show up now.
Re: number in sender name
Anyone have a regex example handy that can detect any number of digits before @ sign? Not a regex maven at all. What searching I did on this topic just served to kick the bee hive. >> Perhaps memory fails, but was there not, once, a standard rule that >> detected non alpha characters in > sender name? The domain/provider is not of interest for this question. > > I think there was, but I suspect that the spam/ham ratio would be about > even, which is probably why it doesn't show up now.
number in sender name
Using SpamAssassin 3.4.5 (2021-03-20) Perhaps memory fails, but was there not, once, a standard rule that detected non alpha characters in sender name? The domain/provider is not of interest for this question. Such as this item (not the actual sender name) * 1.0 FREEMAIL_FROM Sender email is commonly abused enduser mail * provider * [abcd531if7[at]gmail.com] Thanks.
Re: Why single periods in regex in spamassassin rules?
On 4/23/21 2:52 PM, David B Funk wrote: On Fri, 23 Apr 2021, Steve Dondley wrote: I'm looking at KAM.cf. There is this rule: body __KAM_WEB2 /INDIA based IT|indian.based.website|certified.it.company/i I'm wondering if there is a good reason why a singe period is used instead of something like \s+ which would catch multiple spaces whereas a singe period doesn't. Because '/indian.based.website'/ will match 'indian-based_website' but \s will not. This is the real reason (or at least, it was for all of my contributions to KAM.cf). I was also concerned about tricks like , which is visibly a space but has all the technical characteristics of non-whitespace. Using "." was easier than knowing everything about unicode codepoints.
Re: results from lint
> On 26 Jan 2021, at 17:04, Joe Acquisto-j4 wrote: > >> running version 3.42. > > Presumably you meant 3.4.2... > > Unless that's a distro-patched variant, such as the ones RH and Debian > produce, you should update to 3.4.4. There are significant security, > performance, bugfix, and functionality improvements in the 2 latest > "minor" releases, as their will be in the soon-to-come 3.4.5, which > should be the terminal release for the 3.4 branch. > . . . > > Did the lint actually fail? > No. I am a bit puzzled by what Benny Pedersen suggested, running lint without local.cf. Never tried it, or read anything, but presume the inference is it should have failed? > The many "__E_LIKE_LETTER" and "__LOWER_E" hits are normal. Those > subrules are part of the MIXED_ES metarule that was designed to catch a > particular family of bogus extortion spams (the ones claiming to have > recorded the victim consuming pornography and asking for ransom in > cryptocurrency.) The target spams typically try to avoid Bayes by using > a mix of Unicode characters that look like ASCII characters, notably > variations on lower case 'e'. MIXED_ES has been scoring well in RuleQA > for a surprisingly long time, although it MAY carry some risk that we > miss because our submissions don't include a lot of non-English ham. Thanks for helping me get the gist of that. > It is possible that spamd and the spamassassin script are running as > different users and that means that it is possible that they are using > different per-user rules. I'll check that, should not be the case, but, never know what I might have hacked and forgotten. In any case, the problem is resolved, for now, all (I think) operator malfunction. Don't "multi task" as well these days. joe a. > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire
Re: results from lint
>> On Tue, 26 Jan 2021, Joe Acquisto-j4 wrote: >> >> On 2021-01-26 23:04, Joe Acquisto-j4 wrote: >>>>> >>> Any suggestions? >>>>> >>>>> does it lint if local.cf is empty or non exists ? >>>> >>>> Just renamed local.cf and get the same results. Now I am more confused. >>>> Too >>>> late for more coffee. >>> >>> spamd was stopped at the time. >> >> Are you using Amavis by any chance? Try restarting that. >> >> >> -- >> John Hardin KA7OHZ > > clamd. I restarted it, but not clamd.milter, with no difference. I did not > restart spamd after that. Seems like operator error and confusion. Apparently I did not save one of the edits I made to local.cf. Sorry for the bother.
Re: results from lint
> On Tue, 26 Jan 2021, Joe Acquisto-j4 wrote: > >>>> On 2021-01-26 23:04, Joe Acquisto-j4 wrote: >>>> >> Any suggestions? >>>> >>>> does it lint if local.cf is empty or non exists ? >>> >>> Just renamed local.cf and get the same results. Now I am more confused. Too >>> late for more coffee. >> >> spamd was stopped at the time. > > Are you using Amavis by any chance? Try restarting that. > > > -- > John Hardin KA7OHZ clamd. I restarted it, but not clamd.milter, with no difference. I did not restart spamd after that.
Re: results from lint
>On Tue, 26 Jan 2021 17:04:17 -0500 > Joe Acquisto-j4 wrote: > > >> Ran lint (spamassassin -D --lint) and noticed numerous (20-30 ?) >> "__E_LIKE_LETTER," in sequence, followed by >> > "__GATED_THROUGH_RCVD_REMOVER,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_S > UBJECT,__KHOP_NO_FULL_NAME,__LOWER_E," >> with "__LOWER_E," repeated a similar number of times. > > What happens without the -D? If you have a concern about what's showing > in the debug you would need to post something more complete. But having > many __E_LIKE_LETTER hits is normal. Without -D it seems to run clean. I did just find referenced to the repeats and quickly realized its functionality was beyond what I could deal with at the moment.
Re: results from lint
>> On 2021-01-26 23:04, Joe Acquisto-j4 wrote: >> Any suggestions? >> >> does it lint if local.cf is empty or non exists ? > > Just renamed local.cf and get the same results. Now I am more confused. Too > late for more coffee. spamd was stopped at the time.
Re: results from lint
> On 2021-01-26 23:04, Joe Acquisto-j4 wrote: > >> Any suggestions? > > does it lint if local.cf is empty or non exists ? Just renamed local.cf and get the same results. Now I am more confused. Too late for more coffee.
results from lint
running version 3.42. I added a rule in local.cf and restarted spamd. (systemctl restart spamd.service) It hit. Changed the score on it and an existing rule and did a restart and they it but neither score changed. Ran lint (spamassassin -D --lint) and noticed numerous (20-30 ?) "__E_LIKE_LETTER," in sequence, followed by "__GATED_THROUGH_RCVD_REMOVER,__HAS_FROM,__HAS_MESSAGE_ID,__HAS_MSGID,__HAS_SUBJECT,__KHOP_NO_FULL_NAME,__LOWER_E," with "__LOWER_E," repeated a similar number of times. Any suggestions? --
Re: message size, mark if too large?
I forgot about this further down master.cf: spamassassin unix - nn - - pipe flags=Rq user=spamfilter argv=/usr/local/bin/spamass.sh -e /usr/sbin/sendmail -oi -f ${sender} -- ${recipient} spamass.sh consists of: #!/bin/bash /usr/bin/spamc -s 75 | /usr/sbin/sendmail -i "$@" exit $? It's been there all along. t sure why I did it that way. I guess I need to re-read something as I have been changing the -s value in spamc.conf and is seems to have an effect after a restart. 00I would have thought the value in master.cf would take precedence. joe a >>> > First, you might want to look into using spamd and spam instead of > SpamAssassin here. Right now you are compiling spam assassin every single > email. Spamd will demonize it waiting for a connection and spamc is that > lightweight connection glue. > > Second, I would guess sieve or procmail depending on your configuration can > be used to add a header based on size. > > Regards. KAM > > > On Sat, Dec 26, 2020, 18:47 Joe Acquisto-j4 wrote: > >> Umm, err, . . . well . . . >> >> Just what I robotically entered in postfix master.cf >> >> smtp inet n - n - - smtpd -o >> content_filter=spamassassin >> >> Is that what you were after? >> >> >>> >> > What glue are you using to call SA? >> > >> > On Sat, Dec 26, 2020, 14:12 Joe Acquisto-j4 >> wrote: >> > >> >> Some mail with attached suspect files are larger than can be processed. >> >> Looking for a way to flag such "oversize" messages as suspect even if >> not >> >> processed. >> >> >> >> Is there a simple way? SpamAssassin version 3.4.2 >> >> >> >> >> >> >> >>
Re: message size, mark if too large?
Umm, err, . . . well . . . Just what I robotically entered in postfix master.cf smtp inet n - n - - smtpd -o content_filter=spamassassin Is that what you were after? >>> > What glue are you using to call SA? > > On Sat, Dec 26, 2020, 14:12 Joe Acquisto-j4 wrote: > >> Some mail with attached suspect files are larger than can be processed. >> Looking for a way to flag such "oversize" messages as suspect even if not >> processed. >> >> Is there a simple way? SpamAssassin version 3.4.2 >> >> >>
message size, mark if too large?
Some mail with attached suspect files are larger than can be processed. Looking for a way to flag such "oversize" messages as suspect even if not processed. Is there a simple way? SpamAssassin version 3.4.2
Re: adding AV scanning to working Postfix/SA system
> What, specifically, is the config you're using to invoke CLAMAVPlugin? > > You need to have at least two things set up in your spamassassin config > files: > 1) load the plugin in a "v*.pre" > 2) invoke the check_clamav() procedure > > EG: > in v320.pre > > # AntiVirus - some simple anti-virus checks, this is not a replacement > # for an anti-virus filter like Clam AntiVirus > # > #loadplugin Mail::SpamAssassin::Plugin::AntiVirus > # > loadplugin ClamAV /usr/local/etc/mail/spamassassin/plugins/clamav.pm > > Note that line depends on the path to where you've installed the plugin > > In a ".cf" rules file (I call mine clamav.cf ): > As a check, I commented out the loadplugin line for ClamvAV, did systemctl restart spamd.service and systemctl restart clamd.service (which take a good 40 seconds to complete, while spamd restarts almost instantly. using spamassassin -t < testfile.eml, it still reports ClamAV found a virus and names it. (eica) S, I have no idea how the plugin is loading. I have not found any other .pre files loading it. Dunno if this may help - SpamAssassin version 3.4.2 running on Perl version 5.26.1 joea
Re: adding AV scanning to working Postfix/SA system
> Am 03.12.20 um 03:00 schrieb Joe Acquisto-j4: On Wed, 02 Dec 2020 19:38:22 -0500 >>> Joe Acquisto-j4 wrote: >>> >>>> Malware is not being detected in the test form >>> >>> Just to be clear, do you have EICAR as an attached .com file? >> >> I thought so, but it appears not. has a form >> that has both "clean" a eicar.com attachment selected and I assumed >> both would be sent. And perhaps they were and one got stripped off >> at the provider. >> >> Right now am having a difficult time getting my provider >> to allow even the EICAR file through their system. They want to help >> but seem stymied by some issue. >> >> Telnet from a local machine may be my next effort > > seriously? > > just save the mail from the drafts folder, move the eml file to the > server and run spamassassin as the correct user > > spamassassin -t < sample.eml Dude! >From what it output to the screen, it appears to have worked. A snippet for your amusement: -- Spam detection software, running on the system "auxilary", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see ad...@j4computers.com for details. Content preview: heller Content analysis details: (8.1 points, 5.0 required) pts rule name description -- -- -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.] -0.0 NO_RELAYS Informational: message was not relayed via SMTP 10 CLAMAV Clam AntiVirus detected a virus [Win.Test.EICAR_HDB-1] -0.0 NO_RECEIVEDInformational: message has no Received headers 0.0 BODY_SINGLE_WORD Message body is only one word (no spaces) - Did not deliver the message anywhere that I could see, but I guess that is expected. I know I can find documents somewhere . . . Thanks.
Re: adding AV scanning to working Postfix/SA system
> On Wed, 02 Dec 2020 19:38:22 -0500 > Joe Acquisto-j4 wrote: > >> Malware is not being detected in the test form > > Just to be clear, do you have EICAR as an attached .com file? I thought so, but it appears not. has a form that has both "clean" a eicar.com attachment selected and I assumed both would be sent. And perhaps they were and one got stripped off at the provider. Right now am having a difficult time getting my provider to allow even the EICAR file through their system. They want to help but seem stymied by some issue. Telnet from a local machine may be my next effort. joe a.
Re: adding AV scanning to working Postfix/SA system
Malware is not being detected in the test form -- Return-path: Received: from aux.a.com ([192.168.0.xx1]) by mail with ESMTP; Wed, 02 Dec 2020 19:30:16 -0500 Received: by aux.a.com (Postfix, from userid 1004) id 1D0F729D74; Wed, 2 Dec 2020 19:30:16 -0500 (EST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on auxilary X-Spam-Level: X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Spam-Report: * -1.5 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.] Received: from auxilary (localhost [127.0.0.1]) by aux.a.com (Postfix) with ESMTP id 853C029D72 Might verbose or debug level loggin be of any help? Not seeing anything different when I tail /var/log/mail. joe a.
Re: adding AV scanning to working Postfix/SA system
> On Wed, 2 Dec 2020, Tom Hendrikx wrote: > >> >> >> On 02-12-2020 16:18, Joe Acquisto-j4 wrote: X-Spam-Virus: _CLAMAVRESULT >> >> I never integrated Clam using this plugin, but this seems a config typo to >> be: there should be a Yes/No in there, and optionally a virus name. >> > > Yes, it looks like he's got a type-o in there. The config line should be: > "add_header spam Clamav _CLAMAVRESULT_" > in a .cf someplace. > Then the plugin will add that 'X-Spam-Virus:' header with the text "Yes" > followed by the name of the virus detected. > > You can then use the value of that header in other rules to add points for > various kinds of things detected or "meta"ed with other rules. > > Is this normal, to show disable like that? :~ # systemctl status clamd.service clamd.service - Clamav antivirus Deamon Loaded: loaded (/usr/lib/systemd/system/clamd.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2020-12-02 10:57:33 EST; 3h 33min ago Process: 8000 ExecStart=/usr/sbin/clamd (code=exited, status=0/SUCCESS) Main PID: 8002 (clamd) Tasks: 2 (limit: 4915) CGroup: /system.slice/clamd.service └─8002 /usr/sbin/clamd I did systemcrl enable clamd.service, it created a symlink, restarted services and . . .none of that did it. Then I looked over the clamv.cf again and noticed the missing training underscore "add_header all Virus _CLAMAVRESULT_" At least is now says "No" for supposedly non infected messages. Thanks for the assistance. joe a
Re: adding AV scanning to working Postfix/SA system
>On Wed, 2 Dec 2020, Tom Hendrikx wrote: > >> >> >> On 02-12-2020 16:18, Joe Acquisto-j4 wrote: X-Spam-Virus: _CLAMAVRESULT >> >> I never integrated Clam using this plugin, but this seems a config typo to >> be: there should be a Yes/No in there, and optionally a virus name. >> > > Yes, it looks like he's got a type-o in there. The config line should be: > "add_header spam Clamav _CLAMAVRESULT_" > in a .cf someplace. > Then the plugin will add that 'X-Spam-Virus:' header with the text "Yes" > followed by the name of the virus detected. > > You can then use the value of that header in other rules to add points for > various kinds of things detected or "meta"ed with other rules. > > > This is clamd.cf: -- loadplugin ClamAV clamav.pm full CLAMAV eval:check_clamav() describe CLAMAV Clam AntiVirus detected a virus score CLAMAV 10 add_header all Virus _CLAMAVRESULT ---
Re: adding AV scanning to working Postfix/SA system
>>> > On Wed, 2 Dec 2020, Joe Acquisto-j4 wrote: > >> Hacking away, seem to have it working?, Using CLAMAVPlugin. At least mail >> does not appear "broken". >> >> But EICAR is not detected. I "think" it is being scanned as I see this: >> >> * >> X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on auxilary >> X-Spam-Level: * >> X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_00,FREEMAIL_FROM, >> HTML_MESSAGE,SPOOFED_FREEMAIL_NO_RDNS,TVD_SPACE_RATIO autolearn=no >> autolearn_force=no version=3.4.2 >> X-Spam-Virus: _CLAMAVRESULT >> X-Spam-Report: >> * -1.5 BAYES_00 BODY: Bayes spam probability is 0 to 1% >> * [score: 0.] >> * 1.0 FREEMAIL_FROM Sender email is commonly abused enduser mail >> * provider (joe.acquisto[at]gmail.com) >> * 0.0 HTML_MESSAGE BODY: HTML included in message >> * 0.0 TVD_SPACE_RATIO No description available. >> * 1.5 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS >> * >> >> Is that proof it is being scanned and the non detection issue lies > elsewhere? >> >> joe a. > > What, specifically, is the config you're using to invoke CLAMAVPlugin? I followed using some guess work, the blurb I found on the spamassassin site where I found CLAMVPlugin. Not reall clear for a slowing noob. I had to look up how to compile the required perl package, which went without fuss, copied and pasted the "config" files noted, only adding read rights (for root) as something complained about no access and edited the "socket" path to what CLAMD claims it uses. And restarted spamd and clamd. That's it. > You need to have at least two things set up in your spamassassin config > files: > 1) load the plugin in a "v*.pre" > 2) invoke the check_clamav() procedure > > EG: > in v320.pre > > # AntiVirus - some simple anti-virus checks, this is not a replacement > # for an anti-virus filter like Clam AntiVirus > # > #loadplugin Mail::SpamAssassin::Plugin::AntiVirus > # > loadplugin ClamAV /usr/local/etc/mail/spamassassin/plugins/clamav.pm > > Note that line depends on the path to where you've installed the plugin > > In a ".cf" rules file (I call mine clamav.cf ): > > # > # config file for using the ClamAV plugin "clamav.pm" > # > full L_CLAMAV eval:check_clamav() > describe L_CLAMAV Clam AntiVirus detected a virus > score L_CLAMAV 5 > # > header T__MY_CLAMAV X-Spam-Virus =~ /Yes/i > header T__MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i > # > > I was wondering at how the "magic" happened. Found this in v.310.pre, no other references to clam found in the pre files or local.cf.: # AntiVirus - some simple anti-virus checks, this is not a replacement # for an anti-virus filter like Clam AntiVirus # #loadplugin Mail::SpamAssassin::Plugin::AntiVirus # AWL - do auto-whitelist checks # #loadplugin Mail::SpamAssassin::Plugin::AWL # AntiVirus - some simple anti-virus checks, this is not a replacement # for an anti-virus filter like Clam AntiVirus # #loadplugin Mail::SpamAssassin::Plugin::AntiVirus # AWL - do auto-whitelist checks # #loadplugin Mail::SpamAssassin::Plugin::AWL
Re: adding AV scanning to working Postfix/SA system
>> Am 23.11.20 um 17:37 schrieb Joe Acquisto-j4: So, beyond "experiences" any leads on generic "how to" guides that actually >> work in >>> practice? I've found a few, rather than chase geese, I'm sure some here >> have done >>> similar things, even if with other AV scanners >> >> http://www.postfix.org/MILTER_README.html >> https://sanesecurity.com/ >> > . . . > > I decided to pursue CLAMAV as it seems to be well maintained and lots of > "links for dummies" turned up. > > After installing CLAMAV, as supplied in the openSuse distribution, updating > virus sigs I attempted to begin > configuring per some of the how to's. > > Most are years old, have links that lead nowhere, call out config files that > do not exist (as installed above), > or refer to "clamd sockets" that cannot be found. > > I feel sure this is old hat to more experienced souls, but, for me, this has > been far more frustrating than I > anticipated. > > At this point, not even sure what I actually need as, as noted, there seem > to be myriad ways to approach a > solution. Obviously prefer the simplest method. > > Subscribed just now to CLAMAV users list and should probably pursue this > over there. But any tutoring and > or "there there" pats on the head would not be snarled at. Hacking away, seem to have it working?, Using CLAMAVPlugin. At least mail does not appear "broken". But EICAR is not detected. I "think" it is being scanned as I see this: * X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on auxilary X-Spam-Level: * X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_00,FREEMAIL_FROM, HTML_MESSAGE,SPOOFED_FREEMAIL_NO_RDNS,TVD_SPACE_RATIO autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: _CLAMAVRESULT X-Spam-Report: * -1.5 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.] * 1.0 FREEMAIL_FROM Sender email is commonly abused enduser mail * provider (joe.acquisto[at]gmail.com) * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 TVD_SPACE_RATIO No description available. * 1.5 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS * Is that proof it is being scanned and the non detection issue lies elsewhere? joe a.
Re: adding AV scanning to working Postfix/SA system
> Am 23.11.20 um 17:37 schrieb Joe Acquisto-j4: >> So, beyond "experiences" any leads on generic "how to" guides that actually > work in >> practice? I've found a few, rather than chase geese, I'm sure some here > have done >> similar things, even if with other AV scanners > > http://www.postfix.org/MILTER_README.html > https://sanesecurity.com/ > . . . I decided to pursue CLAMAV as it seems to be well maintained and lots of "links for dummies" turned up. After installing CLAMAV, as supplied in the openSuse distribution, updating virus sigs I attempted to begin configuring per some of the how to's. Most are years old, have links that lead nowhere, call out config files that do not exist (as installed above), or refer to "clamd sockets" that cannot be found. I feel sure this is old hat to more experienced souls, but, for me, this has been far more frustrating than I anticipated. At this point, not even sure what I actually need as, as noted, there seem to be myriad ways to approach a solution. Obviously prefer the simplest method. Subscribed just now to CLAMAV users list and should probably pursue this over there. But any tutoring and or "there there" pats on the head would not be snarled at.
Re: adding AV scanning to working Postfix/SA system
> > On 11/24/20 12:40 PM, Axb wrote: >> Fuglu supports Sophos AV >> See fuglu.org > > Sophos recently discontinued their support for SAVI on Linux. They now > only support "Server Central Intercept X Advanced" which is an entirely > different product. > > I would also be interested in newer/supported AV alternatives. > > Regards, > Dave > Where did you hear this? I was just informed it will continue until 2023 at least. The "Free" version is no longer available, apparently, but the "endpoint" product is still there for paying customers. joe a. - j4computers, llc Stone Ridge, NY 12484 845-687-3734 www.j4computers.com -
Re: adding AV scanning to working Postfix/SA system
>> > On 11/24/20 12:40 PM, Axb wrote: >> Fuglu supports Sophos AV >> See fuglu.org > > Sophos recently discontinued their support for SAVI on Linux. They now > only support "Server Central Intercept X Advanced" which is an entirely > different product. > > I would also be interested in newer/supported AV alternatives. > > Regards, > Dave > Well, that's a fine how do ya do. Eh, this was more an "exercise" project anyway. I suppose almost any scanner with reasonable updating capability will do fine. - j4computers, llc Stone Ridge, NY 12484 845-687-3734 www.j4computers.com -
Re: adding AV scanning to working Postfix/SA system
So, beyond "experiences" any leads on generic "how to" guides that actually work in practice? I've found a few, rather than chase geese, I'm sure some here have done similar things, even if with other AV scanners. > SOHO system, on virtual machines. Fairly recent versions. Running openSUSE > Leap 15.1. > > Due to some recent malware (obvious stuff) wanted to add AV scanning. I > gather "Amavis-new" is the hot ticket these days, > > I deal with Sophos products and would like to use their linux product to do > the scanning. Seems to be precious little on how to do that. > > Any experiences? > > - j4computers, llc Stone Ridge, NY 12484 845-687-3734 www.j4computers.com -
adding AV scanning to working Postfix/SA system
SOHO system, on virtual machines. Fairly recent versions. Running openSUSE Leap 15.1. Due to some recent malware (obvious stuff) wanted to add AV scanning. I gather "Amavis-new" is the hot ticket these days, I deal with Sophos products and would like to use their linux product to do the scanning. Seems to be precious little on how to do that. Any experiences? - j4computers, llc Stone Ridge, NY 12484 845-687-3734 www.j4computers.com -
Re: Why the new changes need to be "depricated" forever
>>> > On 7/24/20 7:41 PM, Noel Butler wrote: > >> On 24/07/2020 23:26, Benny Pedersen wrote: >> Noel Butler skrev den 2020-07-24 14:57: >>> because it shits trolls like you off >>> >>> > https://imgur.com/pHlUeZY?fbclid=IwAR2l8HBDnXST5-adnmyIbBAsq16sZeGNhfqHwBNM8I > kQZsir2aUw-H919hk >> >> >> dunno what you referenced benny I only click on links that are from >> friends/family/trusted sources - which you are none of >> >> but your so stupid you forget most people on this list are seasoned >> network/system admins and take the same approach. >> > What.. you can't look at a photo on the net, and protect yourself in the > process? Some of us really ARE seasoned network/system admins - who > know how to follow links without getting hacked. > > Jeez... talk about trolls. > > > > -- > In theory, there is no difference between theory and practice. > In practice, there is. Yogi Berra > Yes, well . . . https://www.snopes.com/fact-check/practice-and-theory/ https://checkyourfact.com/2019/08/28/yogi-berra-theory-difference-practice/ - j4computers, llc Stone Ridge, NY 12484 845-687-3734 www.j4computers.com -
Re: How to define rule?
>>> > Not sure how to phrase the question, but I wonder about creating a rule. > > In /etc/mail/spamassassin/local.cf I see the following, and believe it is a > long forgotten custom rule: > > header PW_IS_BAD_TLD From =~ /\.pw\b/ > describe PW_IS_BAD_TLD PW TLD ABUSE > score PW_IS_BAD_TLD 4.0 > > Could someone describe the basics of this, or point me to a good starting > point to figure it out? I presume the "header" part defining "From" with a > Regex, the assigning a weight with "score". > Well, never mind, for now anyway. It was easier to find an easy to follow guide than I feared. -- +++ joea@@j4computers.com https://www.j4computers.com 845-687-3734 +++
How to define rule?
Not sure how to phrase the question, but I wonder about creating a rule. In /etc/mail/spamassassin/local.cf I see the following, and believe it is a long forgotten custom rule: header PW_IS_BAD_TLD From =~ /\.pw\b/ describe PW_IS_BAD_TLD PW TLD ABUSE score PW_IS_BAD_TLD 4.0 Could someone describe the basics of this, or point me to a good starting point to figure it out? I presume the "header" part defining "From" with a Regex, the assigning a weight with "score". -- +++ joea@@j4computers.com https://www.j4computers.com 845-687-3734 +++
Re: Yet another simple question - how to reprocess an email
>>> > On Thu, 2019-11-28 at 22:12 -0500, Joe Acquisto-j4 wrote: >> I use fetchmail on a different box to pull mail from several >> accounts at an ISP and send those messages to the SA/postfix box. >> > OK, more similar to my setup, then, than I'd guessed. > > FWIW I used to use fetchmail, but found bugs, such as periodically > having to delete old messages from the ISP mailbox which fetchmail had > failed to delete. So, I switched to getmail and these problems went > away. Getmail worked just fine using the MDA script I wrote for > fetchmail and its configuration file is similar to the fetchmail one. > >> >> /usr/bin/spamc -s 75 < test.txt | /usr/sbin/sendmail -t -i "$@" >> > Good. I'm pleased that works for you. > > Martin I basically just copied that line from master.cf and altered it to eliminate some things it complained about. Not perfect, as the "From" in the resultant message is enclosed in "<>", and the log complains about unknown user (running as), but I can look into that. I noticed that fetchmail behavior as well, in earlier versions. Since I am now a few revisions behind, not only with fetchmail, I may give getmail a look. -- +++ joea@@j4computers.com https://www.j4computers.com 845-687-3734 +++
Re: Yet another simple question - how to reprocess an email
>>> >>>> >> On Thu, 2019-11-28 at 18:38 -0500, Joe Acquisto-j4 wrote: >> > > Is there any tangent down this path were I can get the dropped >>> > > "test" message to actually flow through, in "normal" fashion? >>> >>> > . . . >> My set up is a little odd in that my pipeline used getmail to retrieve >> mail from my ISP's smarthost and precedes my MTA with a pipeline like >> this, where 'spamkiller' is a simple C program that looks at the spam >> headers to see whether its spam or ham. Spam is sent to a holding area >> and ham is passed to Postfix for delivery. Here's a diagram: >> >> getmail --> spamc --> spamkiller --ham--> sendmail --> postfix >>| >>+--spam--> spam quarantine store >> >> Most people simply splice spamc into Postfix's internal pipeline, >> defined in master.cf, which connects its mail reception process to its >> delivery process. >> >> Martin > > Oh, now you are asking me to think, or, revisit stuff I setup a looong time > ago. > > I use fetchmail on a different box to pull mail from several accounts at an > ISP and send those > messages to the SA/postfix box. > > I can post the spamassassin line from master.cf if needed but basically SA > and sendmail/postfix are on the same box, > and when anti-spam processing is complete postfix then delivers to yet > another box for final disposal. > > joe a. > > Well, success, I think anyway. This seems to do it from the command line" /usr/bin/spamc -s 75 < test.txt | /usr/sbin/sendmail -t -i "$@" Thanks for the kick. joe a/ -- +++ joea@@j4computers.com https://www.j4computers.com 845-687-3734 +++
Re: Yet another simple question - how to reprocess an email
>>> > On Thu, 2019-11-28 at 18:38 -0500, Joe Acquisto-j4 wrote: > >> > > Is there any tangent down this path were I can get the dropped >> > > "test" message to actually flow through, in "normal" fashion? >> >> > From logs I can see that spamd does seem to give the message a >> > taste, as I can follow / >> var/log/mail and see activity at the precise time I feed it, but the >> message does not seem to be delivered. >> >> I've tried some other off box methods as well, including using CURL >> which is purported to have smtp ability, yet I get syntax >> errors or invalid option as the touted features do not exist in >> versions in use here. >> > What are you doing with the message after it comes back from spamc? > > spamc should be in some sort of pipeline that grabs the message after it > has had X-Spam headers inserted and pass it to whatever will queue it > for the intended recipient's MUA. > > My set up is a little odd in that my pipeline used getmail to retrieve > mail from my ISP's smarthost and precedes my MTA with a pipeline like > this, where 'spamkiller' is a simple C program that looks at the spam > headers to see whether its spam or ham. Spam is sent to a holding area > and ham is passed to Postfix for delivery. Here's a diagram: > > getmail --> spamc --> spamkiller --ham--> sendmail --> postfix >| >+--spam--> spam quarantine store > > Most people simply splice spamc into Postfix's internal pipeline, > defined in master.cf, which connects its mail reception process to its > delivery process. > > Martin Oh, now you are asking me to think, or, revisit stuff I setup a looong time ago. I use fetchmail on a different box to pull mail from several accounts at an ISP and send those messages to the SA/postfix box. I can post the spamassassin line from master.cf if needed but basically SA and sendmail/postfix are on the same box, and when anti-spam processing is complete postfix then delivers to yet another box for final disposal. joe a. -- +++ joea@@j4computers.com https://www.j4computers.com 845-687-3734 +++
Re: Yet another simple question - how to reprocess an email
>>> >>>> >> On Thu, 2019-11-28 at 11:56 -0500, Joe Acquisto-j4 wrote: I want to be able to reprocess a particular email, marked as SPAM, >>> after making some SA tweaks. >>> >> I do something similar with with collection of test messages, mostly >> received spam, that I use to test my local SA rule set. >> >> Essentially, all I do is: >> >> 1) remove all headers starting with 'X-Spam', otherwise the X-Spam >>headers injected when the piece if spam was received will still be >>there after I've run the test. This is confusing rather than harmful, >>but the cleaner is just a script using awk. See below. >> >> 2) pass the message through spamd by running: >> >> spamc --max-size=200 > >>and examine the result >> > > Thanks. Helpful. I did not test the cleaner as I had already, in effect, > "sanitized" the message. > > What I had hoped to do was allow this to flow though and be delivered to the > end point, as if under normal circumstances. > > joe a. > Gentlefolks . . . Is there any tangent down this path were I can get the dropped "test" message to actually flow through, in "normal" fashion? >From logs I can see that spamd does seem to give the message a taste, as I >can follow / var/log/mail and see activity at the precise time I feed it, but the message does not seem to be delivered. I've tried some other off box methods as well, including using CURL which is purported to have smtp ability, yet I get syntax errors or invalid option as the touted features do not exist in versions in use here. -- +++ joea@@j4computers.com https://www.j4computers.com 845-687-3734 +++
Re: Yet another simple question - how to reprocess an email
>>> > On Thu, 2019-11-28 at 11:56 -0500, Joe Acquisto-j4 wrote: >> I want to be able to reprocess a particular email, marked as SPAM, >> after making some SA tweaks. >> > I do something similar with with collection of test messages, mostly > received spam, that I use to test my local SA rule set. > > Essentially, all I do is: > > 1) remove all headers starting with 'X-Spam', otherwise the X-Spam >headers injected when the piece if spam was received will still be >there after I've run the test. This is confusing rather than harmful, >but the cleaner is just a script using awk. See below. > > 2) pass the message through spamd by running: > > spamc --max-size=200 >and examine the result > Thanks. Helpful. I did not test the cleaner as I had already, in effect, "sanitized" the message. What I had hoped to do was allow this to flow though and be delivered to the end point, as if under normal circumstances. joe a. -- +++ joea@@j4computers.com https://www.j4computers.com 845-687-3734 +++
Yet another simple question - how to reprocess an email
Well, here goes, asbestos pants on. I did, honest, do some searching before asking this. I want to be able to reprocess a particular email, marked as SPAM, after making some SA tweaks. Basically I have saved the email, which was received as an attachment, as a text file. Thinking to simply drop this file into a queue somewhere in the receive process and just let her rip. However I was given pause by the message numbering that sendmail seems to use. The process is mail is delivered by a "fetching" server, to a sendmail box, which also hosts SA, after processing is delivered to another on prem box. Thanks for any assistance. -- +++ joea@@j4computers.com https://www.j4computers.com 845-687-3734 +++
Re: Large email -size limits?
>>> On 4/1/2019 at 3:04 PM, in message <20190401200413.26170...@gumby.homeunix.com>, RW wrote: > On Mon, 01 Apr 2019 14:55:31 -0400 > Joe Acquisto-j4 wrote: > >> >>> On 4/1/2019 at 12:02 PM, in message >> <86dcd67b-89d7-b1d7-ff98-627b06a4f...@thelounge.net>, Reindl Harald >> wrote: >> >> > >> > Am 01.04.19 um 17:53 schrieb Joe Acquisto-j4: >> >> Occasionally an obvious phish gets through, traced to being over >> >> the "skip >> > it" size limit. >> >> >> >> Any written guidelines to rational limit on message size? Or >> >> suggestions >> > from "hands on" experience? >> > >> > as big as possible, for many years >> >> I must display my ignorance for all to see. >> >> I understand the size limit decision is done by spamc, correct?So >> far I am unable to determine how to implement the size limit change. >> The docs speak to a -s option in "a configuration file", but do not >> specify, far as I can tell, what that config file is. >> >> I took a stab at /etc/mail/spamassassin/local.cf but it was ignored >> and left me this in /var/log/mail "Apr 1 13:55:38 open-122 >> spamd[14040]: config: failed to parse line, skipping, in >> "/etc/mail/spamassassin/local.cf": -s n" >> >> So, I presume I presumed incorrectly. >> > > It's spamc.conf in the same directory as local.cf. > > It is actually documented in the manual, but it doesn't exactly stand > out. Thanks. Seems to have accepted it. -- +++ joea@@j4computers.com https://www.j4computers.com 845-687-3734 +++
Re: Large email -size limits?
>>> On 4/1/2019 at 12:02 PM, in message <86dcd67b-89d7-b1d7-ff98-627b06a4f...@thelounge.net>, Reindl Harald wrote: > > Am 01.04.19 um 17:53 schrieb Joe Acquisto-j4: >> Occasionally an obvious phish gets through, traced to being over the "skip > it" size limit. >> >> Any written guidelines to rational limit on message size? Or suggestions > from "hands on" experience? > > as big as possible, for many years I must display my ignorance for all to see. I understand the size limit decision is done by spamc, correct?So far I am unable to determine how to implement the size limit change. The docs speak to a -s option in "a configuration file", but do not specify, far as I can tell, what that config file is. I took a stab at /etc/mail/spamassassin/local.cf but it was ignored and left me this in /var/log/mail "Apr 1 13:55:38 open-122 spamd[14040]: config: failed to parse line, skipping, in "/etc/mail/spamassassin/local.cf": -s n" So, I presume I presumed incorrectly. -- +++ joea@@j4computers.com https://www.j4computers.com 845-687-3734 +++