Re: [SPAM] (6.70/5.00) Re: [FW: spam control
The Doctor wrote: > Question: How can ever user use Spam Assassin without having to specify a > user? It would be nice for every user to govern their own account. > SA will scan mail as the userid of the process calling SA, unless you pass -u to either spamc or spamd. SA has no way of reliably determining who the recipient is based on the message content. It cannot "automatically figure it out" for you. Typically people using procmail just do a quick trick where the envelope recipient gets passed to -u. I don't use procmail so I don't know the exact syntax, but there's a variable (%1?) that gets used for this. I'm not sure if any of the milters can do the same trick, but there's nothing about the nature of a milter to prevent this. The only problem is that at the milter level you'll see outbound mail, which you won't have a local user for. Procmail on the other hand only gets called for mail that's locally delivered, so you can know for sure the recipient is local.
OT: Dr's. was [FW: spam control
"jdow" <[EMAIL PROTECTED]> wrote on 07/27/2005 06:35:46 PM: [snip] > > (One thing I have found is that people who use the term "Dr." in front > of their monikers when "out in public" are incapable of learning because > all the public is too dumb to listen to. It earns them incredible amounts > of heartburn.) > One of the guys I work with has earned the title Dr. Death. Back in the Windows 3.1 days he managed to cause BSOD's daily and call us for help. When asked what had changed, oh nothing, I just installed this beta software, or this new device driver We used to have a field day with him, GREAT guy, doesn't use the Dr. title at all, we still tease him about it to this day. One of his best comments: Yes I know that Phd stands for Push Here Dummy. I still crack up at that one. Andy
Re: [SPAM] (6.70/5.00) Re: [FW: spam control
On Wed, Jul 27, 2005 at 06:00:58PM -0600, The Doctor wrote: > On Wed, Jul 27, 2005 at 04:45:36PM -0400, Matt Kettler wrote: > > The Doctor wrote: > > > > > > > > > The whitelist in question: > > > > > > /.spamassassin/user_prefs: > > > > > > > > > > > > > > > > > > And the spamassassin is called as follows: > > > > > > echo -n ' Spam Assassin'; /usr/contrib/bin/spamd -d -i -D -u > > > defang --user-config --siteconfigpath=/etc/mail/spamassassin > > > --syslog=/var/log/spamd.log --pidfile=/var/run/spamd.pid; > > > /usr/contrib/bin/smf-spamd; > > > > > > is "" in the user_prefs path the home directory for the user > > "defang"... > > if not, then that whole file will NOT under ANY condition be read. > > > > Since you're passing -u defang to spamd, it will ONLY run as defang, and it > > will > > ONLY check defang's home directory for a user_prefs file. > > > > > Question: How can ever user use Spam Assassin without having to specify a > user? It would be nice for every user to govern their own account. > Also, IS it possible for Spam Assassin to skip over a realm? -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God Queen and country! Beware Anti-Christ rising! Better to serve in Heaven that to Rule in Hell.
Re: [SPAM] (6.70/5.00) Re: [FW: spam control
On Wed, Jul 27, 2005 at 04:45:36PM -0400, Matt Kettler wrote: > The Doctor wrote: > > > > > > The whitelist in question: > > > > /.spamassassin/user_prefs: > > > > > > > > > > > And the spamassassin is called as follows: > > > > echo -n ' Spam Assassin'; /usr/contrib/bin/spamd -d -i -D -u > > defang --user-config --siteconfigpath=/etc/mail/spamassassin > > --syslog=/var/log/spamd.log --pidfile=/var/run/spamd.pid; > > /usr/contrib/bin/smf-spamd; > > > is "" in the user_prefs path the home directory for the user "defang"... > if not, then that whole file will NOT under ANY condition be read. > > Since you're passing -u defang to spamd, it will ONLY run as defang, and it > will > ONLY check defang's home directory for a user_prefs file. > Question: How can ever user use Spam Assassin without having to specify a user? It would be nice for every user to govern their own account. -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God Queen and country! Beware Anti-Christ rising! Better to serve in Heaven that to Rule in Hell.
Re: [FW: spam control
From: "Kai Schaetzl" <[EMAIL PROTECTED]> > The Doctor wrote on Wed, 27 Jul 2005 13:34:42 -0600: > > > This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] > > Ah, it's he again. Setting to ignore mode. > > Kai He rather is an example of why we tended not to allow our doctorates into the lab when I was doing RF engineering for Rockwell International. They broke everything they touched. Heck, one fellow only had to step inside the room and half the equipment quit working. If he has a doctorate in "Computer Science" he knows too much to get SpamAssassin running. He knows how things "should be done" and knows that what he knows is "absolutely the only way things should be done." So why sit down and figure out how it really works carefully and methodically. He religiously seems to hide major pieces of his configuration from us and then demand solutions. I've quit even bothering to reply to him. I do read him. He's so silly he's amusing. (One thing I have found is that people who use the term "Dr." in front of their monikers when "out in public" are incapable of learning because all the public is too dumb to listen to. It earns them incredible amounts of heartburn.) {^_^}
Re: [FW: spam control
The Doctor wrote: > > Next? > My honest suggestion? Stop everything, and take a step back. Read, think about the options, then act. First, Fix your setup as Andy Jezerski suggested. Have ONE and only ONE call to spamassassin. You've got 3 right now. Two milters and a procmail call. That's VERY bad news, and will greatly complicate configuration, testing and debugging. Pick ONE of the following: smf-spamd milter-spamc procmailrc call to spamc And ditch the other two. With all three of them in place, that's 3 tools you have to configure, and if any one of them isn't set up right you'll have problems. Reducing it to one tool, one call, will make your life easier. Second, I would personally just get rid of your local.cf and start over. At the very minimum get rid of every "score" statement you've added in there. You've been raising rule scores all over the place, which wound up causing FP problems. Then you raised your threshold to counteract the FP problems your modified scores caused. Bad news. You're getting into an arms race with yourself. Third, once you've picked one of the methods of calling SpamAssassin (instead of three) configure that tool to bypass SA calls. If you decide to keep milter-spamc, I'd suggest using Andy's suggestion of a /etc/mail/access statement. Milter-Spamc-From:[EMAIL PROTECTED]OK
Re: [FW: spam control
The Doctor wrote on Wed, 27 Jul 2005 13:34:42 -0600: > This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] Ah, it's he again. Setting to ignore mode. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org
Re: [FW: spam control
On Wed, Jul 27, 2005 at 05:25:42PM -0400, Matt Kettler wrote: > Chris Santerre wrote: > >>score gtube 4.0 > > > > > > > *snip* > > > > Holy carp!!! Why did you rescore just about every rule higher? > > An even better question.. why did he try to rescore GTUBE down to 4.0? > > Although that was slightly screwed up by not puting the rule name in all-caps, > GTUBE should always cause a message to be high-scoring spam. > > That's the whole point of GTUBE. GTUBE detects a really odd-ball test-string > which should never be present in normal email, and it's kind of like the EICAR > virus-test string, but for spam. > > > I did try to go back to default and raise the level to 7.5 and did try to restart spamd amd spamc, but it seems that Spam Assassin still has the old high features. The local.cf looks like: - # Add your own customisations to this file. See 'man Mail::SpamAssassin::Conf' # SpamAssassin user preferences file. # # Format: # # required_hits n # (how many hits are required to tag a mail as spam.) # # score SYMBOLIC_TEST_NAME n # (if this is omitted, 1 is used as a default score. # Set the score to 0 to ignore the test.) # # # starts a comment, whitespace is not significant. # # NOTE! In conjunction with MIMEDefang, SpamAssassin can *NOT* make any # changes to the message header or body. Any SpamAssassin settings that # relate to changing the message will have *NO EFFECT* when used from # MIMEDefang. Instead, use the various MIMEDefang Perl functions if you # need to alter the message. ### ### # First of all, the generally useful stuff; thresholds and the whitelist # of addresses which, for some reason or another, often trigger false # positives. required_hits 7.5 # Whitelist and blacklist addresses are *not* patterns; they're just normal # strings. one exception is that "[EMAIL PROTECTED]" is allowed. They should be in # lower-case. You can either add multiple addrs on one line, # whitespace-separated, or you can use multiple lines. # # Monty Solomon: he posts from an ISP that has often been the source of spam # (no fault of his own ;), and sometimes uses Bcc: when mailing. # # whitelist_from[EMAIL PROTECTED] # Add your blacklist entries in the same format... # # blacklist_from[EMAIL PROTECTED] # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. # ##ok_localesen # By default, the subject lines of suspected spam will be tagged. # This can be disabled here. # ##rewrite_subject 0 # By default, spamassassin will include its report in the body # of suspected spam. Enabling this causes the report to go in the # headers instead. Using 'use_terse_report' for this is recommended. # # report_header 1 # By default, SpamAssassin uses a fairly long report format. # Enabling this uses a shorter format which includes all the # information in the normal one, but without the superfluous # explanations. # # use_terse_report 0 # By default, spamassassin will change the Content-type: header of # suspected spam to "text/plain". This is a safety feature. If you # prefer to leave the Content-type header alone, set this to 0. # defang_mime 0 # By default, SpamAssassin will run RBL checks. If your ISP already # does this, set this to 1. #skip_rbl_checks 1 ### # Add your own customised scores for some tests below. The default scores are # read from the installed "spamassassin.cf" file, but you can override them # here. To see the list of tests and their default scores, go to # http://spamassassin.taint.org/tests.html . # for details of what can be tweaked. # # SpamAssassin config file for version 2.5x # generated by http://www.yrex.com/spam/spamconfig.php (version 1.01) # How many hits before a message is considered spam. required_hits 7.5 # Whether to change the subject of suspected spam ##rewrite_subject 1 # Text to prepend to subject if rewrite_subject is used ##subject_tag *SPAM* rewrite_header Subject SPAM(_SCORE_) # Encapsulate spam in an attachment report_safe 1 # Use terse version of the spam report use_terse_report0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. ok_languagesall # Mail using locales used in these country codes will not be marked # as being possibly spam in a foreign lang
Re: [FW: spam control
The Doctor <[EMAIL PROTECTED]> wrote on 07/27/2005 03:42:41 PM: [snip] > > In my /etc/rc for spam assassin I have, > > > echo -n ' Spam Assassin'; /usr/contrib/bin/spamd -d -i -D -u > defang --user-config --siteconfigpath=/etc/mail/spamassassin -- > syslog=/var/log/spamd.log --pidfile=/var/run/spamd.pid; You do realize you have debugging turned on right? -D Makes for a HUGE log file each day. > /usr/contrib/bin/smf-spamd; First call to SpamAssassin (Is this spam?) [snip] > /usr/contrib/bin/daemon /usr/contrib/bin/milter-spamc -r 50 -S - > v all unix:/var/lib/milter-spamc/socket; Second call to SpamAssassin (Is this REALLY spam?) [snip] > > /etc/procmailrc in my system reads: > > > :0fw:spamassassin.lock > * < 1000 > |/usr/contrib/bin/spamc > > :0 w > ! -oi -f "$@" > Third call to SpamAssassin (Are you REALY REALY sure this is spam?) Pick ONE method to call SA Andy
Re: [FW: spam control
Chris Santerre wrote: >>score gtube 4.0 > > > *snip* > > Holy carp!!! Why did you rescore just about every rule higher? An even better question.. why did he try to rescore GTUBE down to 4.0? Although that was slightly screwed up by not puting the rule name in all-caps, GTUBE should always cause a message to be high-scoring spam. That's the whole point of GTUBE. GTUBE detects a really odd-ball test-string which should never be present in normal email, and it's kind of like the EICAR virus-test string, but for spam.
Re: [FW: spam control
The Doctor <[EMAIL PROTECTED]> wrote on 07/27/2005 03:51:13 PM: [snip] > > X-Spam-Status: NO, hits=2.20 required=5.00 > > > > X-Spam-Level: xx > > > > X-Mark-SPAM: YES, score=5.40/5.00, processed for 2.536s on doctor.nl2k.ab.ca > > > > [...] > > > > What looks odd to me is that X-Spam-Status says NO (I'm assuming that > > this comes from sa), level is only 2, but X-Mark-Spam: is yes.. with a > > score of 5.40.. where is this coming from? > > > > I am using milter-spamc and smf-spamd . > > Pick one milter and get rid of the other. Above, Milter-spamc said the message wasn't spam, and I'm assuming that the X-Mark-SPAM is from smf-spamd said the message is spam. Looks like your two milters might be looking at different configs, since they are coming up with different scores. Also as Chris said, get rid of ALL of your score overrides. That's probably your biggest problem. Andy
Re: [FW: spam control
On Wed, Jul 27, 2005 at 04:40:40PM -0400, JamesDR wrote: > The Doctor wrote: > >On Wed, Jul 27, 2005 at 03:48:22PM -0400, Jim Maul wrote: > > > >>The Doctor wrote: > >> > >> > >> > >>> > >>>All right, the short and simple is that Spam-Assassin may not be doing > >>>the correct job. This user has a whitelist in place and > >>>some e-mail are getting the label of spam. > >>> > >>>Even some of my cron jobs are getting a [SPAM] label when they should > >>>nt. > >>> > >>>Why? > >>> > >> > >> > >>Perhaps if you posted the headers of the messages that were marked as > >>spam we can look to see what rules hit which would answer your "why?" > >>question. Until then, no one knows that the problem is, and as such, > >>wont be able to fix it. > >> > >>-Jim > > > > > > > > Looks like your users send/receive a lot of HTML mail. I had to adjust > the rules for those down slightly to help reduce the possibility of FP's. > > Here, I don't care if 'chain mail' is marked as spam -- that is not > legitimate mail for our users, tho, my system doesn't delete up to a > certain threshold. > Your second example had this (watch for line wraps): > > [...] > > X-Spam-Flag: NO > > X-Scanned-By: milter-7bit/0.7.101 (doctor.nl2k.ab.ca [204.209.81.1]); > Wed, 27 Jul 2005 11:24:55 -0600 > > X-Scanned-By: milter-date/0.12.160 (doctor.nl2k.ab.ca [204.209.81.1]); > Wed, 27 Jul 2005 11:24:55 -0600 > > X-Scanned-By: milter-spamc/0.25.321 (doctor.nl2k.ab.ca [204.209.81.1]); > Wed, 27 Jul 2005 11:24:33 -0600 > > X-Spam-Status: NO, hits=2.20 required=5.00 > > X-Spam-Level: xx > > X-Mark-SPAM: YES, score=5.40/5.00, processed for 2.536s on doctor.nl2k.ab.ca > > [...] > > What looks odd to me is that X-Spam-Status says NO (I'm assuming that > this comes from sa), level is only 2, but X-Mark-Spam: is yes.. with a > score of 5.40.. where is this coming from? > I am using milter-spamc and smf-spamd . > > -- > Thanks, > James > -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God Queen and country! Beware Anti-Christ rising! Better to serve in Heaven that to Rule in Hell.
RE: [FW: spam control
> score gtube 4.0 > score razor2_check4 > score RAZOR2_CF_RANGE_11_50 4 > score RAZOR2_CF_RANGE_51_100 4 > score DCC_CHECK 5 > score PYZOR_CHECK 5 > score REMOVE_IN_QUOTES4 > score CLICK_TO_REMOVE_2 4 > score ASCII_FORM_ENTRY4 > score TRACKER_ID 4 *snip* Holy carp!!! Why did you rescore just about every rule higher? Those rules are bound to cause FPs. Scored waaay too high. Doc, right now I would remove all traces of SA, and start over. There seems to be issues just about everywhere. Setup SA fresh, and callit ONLY for a test account. (Like your own.) --Chris
Re: [SPAM: score=6.0/5.0] Re: [FW: spam control
On Wed, Jul 27, 2005 at 03:13:41PM -0500, Andy Jezierski wrote: > The Doctor <[EMAIL PROTECTED]> wrote on 07/27/2005 02:34:42 PM: > > > - Forwarded message from Angry and Concerned Customer - > > > > X-Scanned-By: milter-spamc/0.25.321 (localhost.nl2k.ab.ca [0.0.0. > > 0]); Wed, 27 Jul 2005 13:11:47 -0600 > > > > [snip] > > > > > > > All right, the short and simple is that Spam-Assassin may not be doing > > the correct job. This user has a whitelist in place and > > some e-mail are getting the label of spam. > > > > Even some of my cron jobs are getting a [SPAM] label when they should > nt. > > > > Why? > > > > As everyone has said, we need to see the message headers at a minimum in > order to try and help. Also, judging from the X-Scanned-By: line above I > assume you're using milter-spamc to call SA. If you'd like you can add a > few lines to your sendmail access file to bypass SA for individual > senders/recipents. > > Milter-Spamc-From:[EMAIL PROTECTED]OK > Milter-Spamc-To:[EMAIL PROTECTED] OK > > Will try. > Andy -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God Queen and country! Beware Anti-Christ rising! Better to serve in Heaven that to Rule in Hell.
RE: [FW: spam control
> > Also, post the whitelist entry you're using... And what > file it's in, and how > > you're calling SA. > > Whitelist from /.spamassassin/user_prefs: > > NEVER post other peoples' email addresses to a public and archived list!!! Deep breaths Doc! --Chris
Re: [FW: spam control
On Wed, Jul 27, 2005 at 04:02:32PM -0400, Ron Johnson wrote: > The Doctor writes: > > > > - Forwarded message from Angry and Concerned Customer - > > > > > > > > All right, the short and simple is that Spam-Assassin may not be doing > > the correct job. This user has a whitelist in place and > > some e-mail are getting the label of spam. > > > > Even some of my cron jobs are getting a [SPAM] label when they should nt. > > > > Why? > > What version are you running? Are you running any additional rulesets? > Have you written any custom rules yourself? Do you have bayes enabled? > If so, are you running with autolearn? Do you have AWL enabled? (If so, > you may want to start over) > > You need to find out what rules your false positives are tripping over. > > I personally find it convenient to run the false positives manually > (though that's really not required) > > I am running 3.0.4 on BSD/OS 4.3.1 . Here is my local.cf: # Add your own customisations to this file. See 'man Mail::SpamAssassin::Conf' # SpamAssassin user preferences file. # # Format: # # required_hits n # (how many hits are required to tag a mail as spam.) # # score SYMBOLIC_TEST_NAME n # (if this is omitted, 1 is used as a default score. # Set the score to 0 to ignore the test.) # # # starts a comment, whitespace is not significant. # # NOTE! In conjunction with MIMEDefang, SpamAssassin can *NOT* make any # changes to the message header or body. Any SpamAssassin settings that # relate to changing the message will have *NO EFFECT* when used from # MIMEDefang. Instead, use the various MIMEDefang Perl functions if you # need to alter the message. ### ### # First of all, the generally useful stuff; thresholds and the whitelist # of addresses which, for some reason or another, often trigger false # positives. required_hits 7.5 # Whitelist and blacklist addresses are *not* patterns; they're just normal # strings. one exception is that "[EMAIL PROTECTED]" is allowed. They should be in # lower-case. You can either add multiple addrs on one line, # whitespace-separated, or you can use multiple lines. # # Monty Solomon: he posts from an ISP that has often been the source of spam # (no fault of his own ;), and sometimes uses Bcc: when mailing. # # whitelist_from[EMAIL PROTECTED] # Add your blacklist entries in the same format... # # blacklist_from[EMAIL PROTECTED] # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. # ##ok_localesen # By default, the subject lines of suspected spam will be tagged. # This can be disabled here. # ##rewrite_subject 0 # By default, spamassassin will include its report in the body # of suspected spam. Enabling this causes the report to go in the # headers instead. Using 'use_terse_report' for this is recommended. # # report_header 1 # By default, SpamAssassin uses a fairly long report format. # Enabling this uses a shorter format which includes all the # information in the normal one, but without the superfluous # explanations. # # use_terse_report 0 # By default, spamassassin will change the Content-type: header of # suspected spam to "text/plain". This is a safety feature. If you # prefer to leave the Content-type header alone, set this to 0. # defang_mime 0 # By default, SpamAssassin will run RBL checks. If your ISP already # does this, set this to 1. #skip_rbl_checks 1 ### # Add your own customised scores for some tests below. The default scores are # read from the installed "spamassassin.cf" file, but you can override them # here. To see the list of tests and their default scores, go to # http://spamassassin.taint.org/tests.html . # for details of what can be tweaked. # # SpamAssassin config file for version 2.5x # generated by http://www.yrex.com/spam/spamconfig.php (version 1.01) # How many hits before a message is considered spam. required_hits 7.5 # Whether to change the subject of suspected spam ##rewrite_subject 1 # Text to prepend to subject if rewrite_subject is used ##subject_tag *SPAM* rewrite_header Subject SPAM(_SCORE_) # Encapsulate spam in an attachment report_safe 1 # Use terse version of the spam report use_terse_report0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. ok_languagesall # Mai
Re: [FW: spam control
The Doctor wrote: On Wed, Jul 27, 2005 at 03:48:22PM -0400, Jim Maul wrote: The Doctor wrote: All right, the short and simple is that Spam-Assassin may not be doing the correct job. This user has a whitelist in place and some e-mail are getting the label of spam. Even some of my cron jobs are getting a [SPAM] label when they should nt. Why? Perhaps if you posted the headers of the messages that were marked as spam we can look to see what rules hit which would answer your "why?" question. Until then, no one knows that the problem is, and as such, wont be able to fix it. -Jim Looks like your users send/receive a lot of HTML mail. I had to adjust the rules for those down slightly to help reduce the possibility of FP's. Here, I don't care if 'chain mail' is marked as spam -- that is not legitimate mail for our users, tho, my system doesn't delete up to a certain threshold. Your second example had this (watch for line wraps): [...] X-Spam-Flag: NO X-Scanned-By: milter-7bit/0.7.101 (doctor.nl2k.ab.ca [204.209.81.1]); Wed, 27 Jul 2005 11:24:55 -0600 X-Scanned-By: milter-date/0.12.160 (doctor.nl2k.ab.ca [204.209.81.1]); Wed, 27 Jul 2005 11:24:55 -0600 X-Scanned-By: milter-spamc/0.25.321 (doctor.nl2k.ab.ca [204.209.81.1]); Wed, 27 Jul 2005 11:24:33 -0600 X-Spam-Status: NO, hits=2.20 required=5.00 X-Spam-Level: xx X-Mark-SPAM: YES, score=5.40/5.00, processed for 2.536s on doctor.nl2k.ab.ca [...] What looks odd to me is that X-Spam-Status says NO (I'm assuming that this comes from sa), level is only 2, but X-Mark-Spam: is yes.. with a score of 5.40.. where is this coming from? -- Thanks, James
RE: [FW: spam control
OK something is wrong with your setup! > > Sample 1 from a cron job: > > Subject: [SPAM] Cron <[EMAIL PROTECTED]> /usr/bin/nice -20 > X-Spam-Flag: NO > -- Marked as spam but not? > > Sample 2 > > Headers: > > Subject: [SPAM: score=5.4/5.0] spam control and assorted issues > > X-Spam-Flag: NO > X-Spam-Status: NO, hits=2.20 required=5.00 > X-Spam-Level: xx > X-Mark-SPAM: YES, score=5.40/5.00, processed for 2.536s on > doctor.nl2k.ab.ca > > --- Same! Is it being run thru twice? > > Sample 3 > > > X-Spam-Filter: [EMAIL PROTECTED] by digitalanswers.org > Subject: [SPAM: score=10.0/5.0] [SPAM] (5.00/5.00) Great > Canadian website > > X-Spam-Flag: YES > > X-Spam-Status: YES, hits=5.00 required=5.00 > > X-Spam-Level: x > > X-Spam-Report: Spam detection software, running on the system > "doctor.nl2k.ab.ca", has > > Content analysis details: (5.0 points, 5.0 required) >pts rule name description > > -- > -- > >3.0 HTML_MESSAGE BODY: HTML included in message > >0.0 BAYES_50 BODY: Bayesian spam probability > is 40 to 60% > > [score: 0.4039] > >2.0 HTML_10_20 BODY: Message is 10% to 20% HTML > > > > X-Mark-SPAM: YES, score=10.00/5.00, processed for 2.167s on > doctor.nl2k.ab.ca 3.0 points for an HTML messege That can't be right! > > > > Sample 4: > > > > Subject: [SPAM: score=11.0/5.0] [SPAM] (13.80/5.00) Re: > [SPAM] (16.50/5.00) Fwd: Fw: 9 Things I Hate About Everyone > > Subject: [SPAM] (16.50/5.00) Fwd: Fw: 9 Things I Hate > > Content analysis details: (13.8 points, 5.0 required) > > > >pts rule name description > > -- > -- > >4.0 MAILTO_TO_SPAM_ADDRURI: Includes a link to a > likely spammer email > >3.0 HTML_MESSAGE BODY: HTML included in message > >0.0 BAYES_50 BODY: Bayesian spam probability > is 40 to 60% > > [score: 0.5585] > >4.0 HTML_70_80 BODY: Message is 70% to 80% HTML > >2.7 AWLAWL: From: address is in the > auto white-list > > > > X-Mark-SPAM: YES, score=11.00/5.00, processed for 25.087s on > doctor.nl2k.ab.ca Sample 4 has scores all over the place!! 11.00, 13.8, and 16.5!! It went thru 3 times!! Shut off AWL for now! Fix the 3 point score for HTML. Then figure out why your getting multiple scans! --Chris
Re: [FW: spam control
On Wed, Jul 27, 2005 at 03:48:22PM -0400, Jim Maul wrote: > The Doctor wrote: > > > > > > > >All right, the short and simple is that Spam-Assassin may not be doing > >the correct job. This user has a whitelist in place and > >some e-mail are getting the label of spam. > > > >Even some of my cron jobs are getting a [SPAM] label when they should nt. > > > >Why? > > > > > Perhaps if you posted the headers of the messages that were marked as > spam we can look to see what rules hit which would answer your "why?" > question. Until then, no one knows that the problem is, and as such, > wont be able to fix it. > > -Jim Sample 1 from a cron job: --- From [EMAIL PROTECTED] Wed Jul 27 13:19:15 2005 Return-Path: <[EMAIL PROTECTED]> Received: from doctor.nl2k.ab.ca ([EMAIL PROTECTED] [127.0.0.1]) by doctor.nl2k.ab.ca (8.13.4/8.13.4) with ESMTP id j6RJJ6BM011313 for <[EMAIL PROTECTED]>; Wed, 27 Jul 2005 13:19:06 -0600 (MDT) Authentication-Results: doctor.nl2k.ab.ca [EMAIL PROTECTED]; sender-id=neutral; spf=neutral X-SenderID: Sendmail Sender-ID Filter v0.2.8 doctor.nl2k.ab.ca j6RJJ6BM011313 X-Spam-Filter: [EMAIL PROTECTED] by digitalanswers.org Received: (from [EMAIL PROTECTED]) by doctor.nl2k.ab.ca (8.13.4/8.13.4/Submit) id j6RJJ31O011310; Wed, 27 Jul 2005 13:19:03 -0600 (MDT) Date: Wed, 27 Jul 2005 13:19:03 -0600 (MDT) Message-Id: <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] (Cron Daemon) To: [EMAIL PROTECTED] Subject: [SPAM] Cron <[EMAIL PROTECTED]> /usr/bin/nice -20 /usr/home/cariwest/html/analog/analog X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Virus-Scanned: ClamAV version 0.86.2, clamav-milter version 0.86 on doctor.nl2k.ab.ca X-Virus-Status: Clean X-Spam-Flag: NO X-Scanned-By: milter-7bit/0.7.101 (localhost.nl2k.ab.ca [0.0.0.0]); Wed, 27 Jul 2005 13:19:12 -0600 X-Scanned-By: milter-date/0.12.160 (localhost.nl2k.ab.ca [0.0.0.0]); Wed, 27 Jul 2005 13:19:12 -0600 X-Scanned-By: milter-spamc/0.25.321 (localhost.nl2k.ab.ca [0.0.0.0]); Wed, 27 Jul 2005 13:19:12 -0600 X-Spam-Status: NO, hits=-105.70 required=5.00 X-Spam-Level: X-milter-date-PASS: YES X-milter-7bit-Report: error=7bit octet=0x80 offset=74 line=2 position=11 X-milter-7bit-Pass: NO Status: RO Content-Length: 718 Lines: 13 /usr/home/cariwest/html/analog/analog: analog version 6.0/Unix : Warning : Turning off empty Virtual Host Report (For help on all errors and warnings, see docs/errors.html) : Warning : Turning off empty Virtual Host Redirection Report : Warning : Turning off empty Virtual Host Failure Report : Warning : Turning off empty User Report : Warning : Turning off empty User Redirection Report : Warning : Turning off empty User Failure Report &meta=: Warning : Turning off empty Internal Search Query Report &meta=: Warning : Turning off empty Internal Search Word Report : Warning : Turning off empty Processing Time Report : Warning : In Redirected Referrer Report, turning off pie chart of only one wedge -- Sample 2 Headers: --- Subject: [SPAM: score=5.4/5.0] spam control and assorted issues Date: Wed, 27 Jul 2005 11:28:31 -0600 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Virus-Scanned: ClamAV version 0.86.2, clamav-milter version 0.86 on doctor.nl2k.ab.ca X-Virus-Status: Clean X-Spam-Flag: NO X-Scanned-By: milter-7bit/0.7.101 (doctor.nl2k.ab.ca [204.209.81.1]); Wed, 27 Jul 2005 11:24:55 -0600 X-Scanned-By: milter-date/0.12.160 (doctor.nl2k.ab.ca [204.209.81.1]); Wed, 27 Jul 2005 11:24:55 -0600 X-Scanned-By: milter-spamc/0.25.321 (doctor.nl2k.ab.ca [204.209.81.1]); Wed, 27 Jul 2005 11:24:33 -0600 X-Spam-Status: NO, hits=2.20 required=5.00 X-Spam-Level: xx X-Mark-SPAM: YES, score=5.40/5.00, processed for 2.536s on doctor.nl2k.ab.ca X-milter-date-PASS: YES X-milter-7bit-Pass: YES X-UIDL: efU!!CF,"!([EMAIL PROTECTED]"! --- Sample 3 Return-Path: <[EMAIL PROTECTED]> Received: from web31112.mail.mud.yahoo.com (web31112.mail.mud.yahoo.com [68.142.201.74]) by doctor.nl2k.ab.ca (8.13.4/8.13.4) with SMTP id j6RITs3q002842 for <[EMAIL PROTECTED]>; Wed, 27 Jul 2005 12:29:55 -0600 (MDT) Authentication-Results: doctor.nl2k.ab.ca [EMAIL PROTECTED]; sender-id=neutral; spf=neutral X-SenderID: Sendmail Sender-ID Filter v0.2.8 doctor.nl2k.ab.ca j6RITs3q002842 X-Spam-Filter: [EMAIL PROTECTED] by digitalanswers.org Received: (qmail 2762 invoked by uid 60001); 27 Jul 2005 18:29:48 - DomainKey-Signature:
Re: [FW: spam control
The Doctor <[EMAIL PROTECTED]> wrote on 07/27/2005 02:34:42 PM: > - Forwarded message from Angry and Concerned Customer - > > X-Scanned-By: milter-spamc/0.25.321 (localhost.nl2k.ab.ca [0.0.0. > 0]); Wed, 27 Jul 2005 13:11:47 -0600 > [snip] > > > All right, the short and simple is that Spam-Assassin may not be doing > the correct job. This user has a whitelist in place and > some e-mail are getting the label of spam. > > Even some of my cron jobs are getting a [SPAM] label when they should nt. > > Why? > As everyone has said, we need to see the message headers at a minimum in order to try and help. Also, judging from the X-Scanned-By: line above I assume you're using milter-spamc to call SA. If you'd like you can add a few lines to your sendmail access file to bypass SA for individual senders/recipents. Milter-Spamc-From:[EMAIL PROTECTED] OK Milter-Spamc-To:[EMAIL PROTECTED] OK Andy
Re: [FW: spam control
The Doctor writes: > > - Forwarded message from Angry and Concerned Customer - > > > > All right, the short and simple is that Spam-Assassin may not be doing > the correct job. This user has a whitelist in place and > some e-mail are getting the label of spam. > > Even some of my cron jobs are getting a [SPAM] label when they should nt. > > Why? What version are you running? Are you running any additional rulesets? Have you written any custom rules yourself? Do you have bayes enabled? If so, are you running with autolearn? Do you have AWL enabled? (If so, you may want to start over) You need to find out what rules your false positives are tripping over. I personally find it convenient to run the false positives manually (though that's really not required)
Re: [FW: spam control
Jim Maul wrote: > The Doctor wrote: > > > >> >> >> All right, the short and simple is that Spam-Assassin may not be doing >> the correct job. This user has a whitelist in place and >> some e-mail are getting the label of spam. >> >> Even some of my cron jobs are getting a [SPAM] label when they should >> nt. >> >> Why? >> > > > Perhaps if you posted the headers of the messages that were marked as > spam we can look to see what rules hit which would answer your "why?" > question. Until then, no one knows that the problem is, and as such, > wont be able to fix it. > Also, post the whitelist entry you're using... And what file it's in, and how you're calling SA. Some general notes about this kind of problem: Bear in mind that "whitelist_to", "more_spam_to" and "all_spam_to" commands will generally NOT match any messages which are BCC'ed to you, including mailing lists. SpamAssassin will *try* to find out who the BCC'ed recipient is, but if your MTA doesn't add any headers indicative of this, there's no way for spamassassin to determine the message recipient. If you have users that really do not want their mail marked as spam, its is a much better solution to avoid calling SA in the first place for those users. You save CPU time, and most tools that call SA have direct access to the message envelope and can make decisions based on the real recipient. For example, if you call spamc from procmail, you can write a procmail rule that bypasses spamc for some users. Also bear in mind that if you're using a user's user_prefs file to declare a whitelist, you MUST be calling spamc as that user, or passing their username to spamc -u. Most site-wide installs will only read the user_prefs for one account (usually mail, root, or nobody), and will NOT read the user_prefs file in the recipient's home directory.
Re: [FW: spam control
The Doctor wrote: All right, the short and simple is that Spam-Assassin may not be doing the correct job. This user has a whitelist in place and some e-mail are getting the label of spam. Even some of my cron jobs are getting a [SPAM] label when they should nt. Why? Perhaps if you posted the headers of the messages that were marked as spam we can look to see what rules hit which would answer your "why?" question. Until then, no one knows that the problem is, and as such, wont be able to fix it. -Jim
[FW: spam control
- Forwarded message from Angry and Concerned Customer - X-Scanned-By: milter-spamc/0.25.321 (localhost.nl2k.ab.ca [0.0.0.0]); Wed, 27 Jul 2005 13:11:47 -0600 Hi Dave - we are still getting people labeled as sending us spam that should be on that white list (this includes emails from employees). The last two were addressed to me from Rhonda and one from Jim Wooley - both were labeled as spam! This is nuts! If it doesn't work - it doesn't work! Also can we raise the threshold on the spam to 7.5 instead of 5.00 (7.5 > and it is labeled spam) Really for us - we would rather not have anything labeled as spam AT ALL. this would fix most of this issue. Then the only issue would be making sure your Spam filters (Spam Assassin) pass all legitimate emails through to us (even if some spam slipped through with it - we would rather not miss anything). Our issues are major to us - and it seems we have a number of them, so I am going to go over them here again so we don't lose sight of them: 3) Email issues. Spam. We didn't ask for our emails to be labeled with "spam" and it is creating problems for us. This creates certain issues within the organization when we "accidentally" reply to a member (not noticing anymore the spam label - since every email seems to have it) and they get an email from us with "spam" marked in it Also, a number of members at one time or another could not send email through to us. I haven't heard of any lately, but that was why we went to a "whitelist" approach - to ensure that people on that whitelist were allowed through - regardless of spam filtering and that their emails would not be labeled spam. (Note I am saying spam filtering - not the standard antivirus checking). Well, it's been a couple months now and the Whitelist doesn't seem to be working as it should/intended and there is also been no way to update that white list (replace the file of "acceptable" email addresses with updated ones or add people to it). - End forwarded message - All right, the short and simple is that Spam-Assassin may not be doing the correct job. This user has a whitelist in place and some e-mail are getting the label of spam. Even some of my cron jobs are getting a [SPAM] label when they should nt. Why? -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God Queen and country! Beware Anti-Christ rising! Better to serve in Heaven that to Rule in Hell.