Re: awl postgresql
Sidney Markowitz wrote on 4/01/23 8:47 pm: There's a typo, which must just be in your email since postgres won't accept it, that should be =+ not += I am not expert it SQL :) Further testing reveals that there is no auto-increment operator in postgres or SQLite SQL, neither += nor =+ The reason why =+ does not get a syntax error is because it is parsed as two separate operators and whitespace is not required and is ignored. In other words, totspace =+ 10 is the same as totspace = +10 which sets totspace to the value 10, which is not what was intended. The change to =+ doesn't fail the syntax, but does cause test t/sql_based_welcomelist.t to fail because the results are wrong. The only syntax that actually works is to include the table name as in totspace = awl.totspace + 10 I have submitted a patch to that effect in bug 8098 for people who do know SQL to review. Benny, if you want to try out that patch, please do so. Sidney
Re: awl postgresql
Benny Pedersen wrote on 4/01/23 11:00 am: https://github.com/apache/spamassassin/blob/trunk/lib/Mail/SpamAssassin/SQLBasedAddrList.pm#L289 $sql .= " ON CONFLICT (username, email, signedby, ip) DO UPDATE set msgcount = ?, totscore += ?"; confirm is from my side needed it would fix it, i atleast like to think it does There's a typo, which must just be in your email since postgres won't accept it, that should be =+ not += there is more lines with totscore = totscore that might need fix aswell I checked that, and the only two other places I saw were conditional on not being postgres. Also, the last place it is used, in the fallback UPDATE statement, I tried it in postgres and found that in that statement postgres allows the totscore = totscore + 10 syntax. Strange. I opened a bug https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8098 and will submit a patch for that =+ change. Thanks for catching this. Sidney
Re: awl postgresql
Ángel wrote on 4/01/23 2:59 pm: On 2023-01-04 at 10:24 +1300, Sidney Markowitz wrote: If anyone else reading this is using 4.0.0 and postgres for AWL, are you seeing or not seeing this problem? I can easily reproduce this with a quick install and manually providing the SQL from the code (output included below). Postgresql (tested on version 11) seem to be choking on the self-referential totscore in the update clause. It seems it can't assign a value from the row inside the DO UPDATE but only a constant. Thanks, I found it easy to reproduce your results by pasting that into the online sandbox at https://www.db-fiddle.com/ and running with every version of postgres that has ON CONFLICT (added in version 9.5). Martin, that proves that it doesn't have anything to do with the awl and txrep tables having the same column names, it is something postgres is picky about even with no other tables in the schema. SQLite, which uses the same ON CONFLICT syntax for upsert doesn't sem to have a problem with it. As a quick fix, removing the string “pg|” from the lines 309, 325, 341 and 358 will probably make the plugin work by making it use the fallback code with postgres. > A += doesn't (neccesarily) fix it. Perhaps it works on an higher > version. The correct syntax is =+ Benny's += was probably a typo. I verified in the sandbox that it works for every version of postgres from 9.5 through 15, and also the SQLite versions there. Making the expression totscore = awl.totscore + 10 also works, but =+ seems cleaner. I'll open a bug report, post a patch that gets all of the similar sql statements, and see what the devs with more SQL experience have to say. -- Sidney
Re: awl postgresql
On 2023-01-03 at 23:00 +0100, Benny Pedersen wrote:
> https://github.com/apache/spamassassin/blob/trunk/lib/Mail/SpamAssassin/SQLBasedAddrList.pm#L289
>
> $sql .= " ON CONFLICT (username, email, signedby, ip) DO UPDATE set
> msgcount = ?, totscore += ?";
>
> confirm is from my side needed it would fix it, i atleast like to
> think it does
A += doesn't (neccesarily) fix it. Perhaps it works on an higher
version.
postgres=# insert into awl (username, email, ip, signedby) values ('john',
'jsm...@example.com', '127.0.0.1', '-') ON CONFLICT (username, email, signedby,
ip) DO UPDATE set msgcount = 5, totscore += 1;
ERROR: syntax error at or near "+="
LINE 1: ...il, signedby, ip) DO UPDATE set msgcount = 5, totscore += 1;
^
Re: awl postgresql
On 2023-01-04 at 10:24 +1300, Sidney Markowitz wrote:
> If anyone else reading this is using 4.0.0 and postgres for AWL, are
> you seeing or not seeing this problem?
I can easily reproduce this with a quick install and manually providing
the SQL from the code (output included below). Postgresql (tested on
version 11) seem to be choking on the self-referential totscore in the
update clause.
It seems it can't assign a value from the row inside the DO UPDATE but
only a constant.
As a quick fix, removing the string “pg|” from the lines 309, 325, 341
and 358 will probably make the plugin work by making it use the
fallback code with postgres.
postgres=# CREATE TABLE awl (
postgres(# username varchar(100) NOT NULL default '',
postgres(# email varchar(255) NOT NULL default '',
postgres(# ip varchar(40) NOT NULL default '',
postgres(# msgcount bigint NOT NULL default '0',
postgres(# totscore float NOT NULL default '0',
postgres(# signedby varchar(255) NOT NULL default '',
postgres(# last_hit timestamp NOT NULL default CURRENT_TIMESTAMP,
postgres(# PRIMARY KEY (username,email,signedby,ip)
postgres(# );
CREATE TABLE
postgres=# select * from awl;
username | email | ip | msgcount | totscore | signedby | last_hit
--+---++--+--+--+--
(0 rows)
postgres=# insert into awl (username, email, ip, signedby) values ('john',
'jsm...@example.com', '127.0.0.1', '-');
INSERT 0 1
postgres=# select * from awl;
username | email|ip | msgcount | totscore | signedby |
last_hit
--++---+--+--+--+
john | jsm...@example.com | 127.0.0.1 |0 |0 | -|
2023-01-04 02:45:24.769152
(1 row)
postgres=# insert into awl (username, email, ip, signedby) values ('john',
'jsm...@example.com', '127.0.0.1', '-') ON CONFLICT (username, email, signedby,
ip) DO UPDATE set msgcount = 5, totscore=totscore + 10;
ERROR: column reference "totscore" is ambiguous
LINE 1: ...ignedby, ip) DO UPDATE set msgcount = 5, totscore=totscore +...
^
Re: awl postgresql
On Wed, 2023-01-04 at 00:43 +0100, Benny Pedersen wrote: > > i have dumped all i have in posgres without data so only structure is > here > > https://usercontent.irccloud-cdn.com/file/WJmDq7xc/spamassassin_dump_tables%20only.txt > > dont know what package means on gentoo, its stable versions i use, > just > not latest stable > > if more info is needed i can provide it There's enough detail there to make an informed guess about what could be wrong. The tables public.awl and public.txrep contain identical sets of column names, so a reference to any of these column names will be rejected unless it is qualified by referring to it as table_name.column_name Without specifying the fully qualified name, e.g public.awl.email, the database engine can't know which table contains the column that the script its executing is meant to use. Martin
Re: awl postgresql
Martin Gregorie skrev den 2023-01-03 23:43: On Wed, 2023-01-04 at 10:24 +1300, Sidney Markowitz wrote: Benny Pedersen wrote on 4/01/23 3:19 am: If anyone else reading this is using 4.0.0 and postgres for AWL, are you seeing or not seeing this problem? I use Postgresql, though not with SA. I agree with your suggestion, but it would also be useful to see the definition of the table. 'psql', the postgres interactive command tool, can be used to show this info: the psql command "\d tablename" displays columns in the 'tablename' table as well as other relevant information about it. If Postgres was installed from a standard package, the psql interactive program (and its manpage) should also have been installed. i have dumped all i have in posgres without data so only structure is here https://usercontent.irccloud-cdn.com/file/WJmDq7xc/spamassassin_dump_tables%20only.txt dont know what package means on gentoo, its stable versions i use, just not latest stable if more info is needed i can provide it
Re: awl postgresql
On Wed, 2023-01-04 at 10:24 +1300, Sidney Markowitz wrote: > Benny Pedersen wrote on 4/01/23 3:19 am: > > If anyone else reading this is using 4.0.0 and postgres for AWL, are > you > seeing or not seeing this problem? > I use Postgresql, though not with SA. I agree with your suggestion, but it would also be useful to see the definition of the table. 'psql', the postgres interactive command tool, can be used to show this info: the psql command "\d tablename" displays columns in the 'tablename' table as well as other relevant information about it. If Postgres was installed from a standard package, the psql interactive program (and its manpage) should also have been installed. Martin
Re: awl postgresql
Sidney Markowitz skrev den 2023-01-03 22:24: Benny Pedersen wrote on 4/01/23 3:19 am: https://github.com/apache/spamassassin/blob/trunk/lib/Mail/SpamAssassin/SQLBasedAddrList.pm#L310 imho this line I agree, but I don't see from looking at that line how the SQL query can have more than one table involved, and from the description of what "column reference is ambiguous" means I don't see how a query with one table in it can get a column reference is ambiguous error. https://github.com/apache/spamassassin/blob/trunk/lib/Mail/SpamAssassin/SQLBasedAddrList.pm#L289 $sql .= " ON CONFLICT (username, email, signedby, ip) DO UPDATE set msgcount = ?, totscore += ?"; confirm is from my side needed it would fix it, i atleast like to think it does there is more lines with totscore = totscore that might need fix aswell
Re: awl postgresql
Benny Pedersen wrote on 4/01/23 3:19 am: https://github.com/apache/spamassassin/blob/trunk/lib/Mail/SpamAssassin/SQLBasedAddrList.pm#L310 imho this line I agree, but I don't see from looking at that line how the SQL query can have more than one table involved, and from the description of what "column reference is ambiguous" means I don't see how a query with one table in it can get a column reference is ambiguous error. If you can't get the full dbg line, perhaps someone who actually uses SQL based awl might be able to jump in here, that's the limit of what I can figure out. I was wrong when I said that... The dbg line does not include the full query anyway, just the arguments. I don't know if the dbg line you get to is line 331 or 347, they both look the same. However, if you can edit those to also output $sql you can see the exact SQL query that is producing the error. Someone who knows SQL better than I do could probably figure out from that how it could produce a column reference is ambiguous error. Or if you could add $sql to the dbg statements and post the full dbg output without that truncation, I could probably Google enough to figure it out. I'm not set up to easily test with postgres AWL here, so it would help if you could generate the dbg lines with the additional info. it worked in 3.4.6 If anyone else reading this is using 4.0.0 and postgres for AWL, are you seeing or not seeing this problem?
Re: awl postgresql
Sidney Markowitz skrev den 2023-01-03 10:53: Benny Pedersen wrote on 3/01/23 2:21 pm: https://github.com/apache/spamassassin/blob/trunk/sql/awl_pg.sql#L6 https://www.irccloud.com/pastebin/wRkT4AeI/awl.sql how to solve it ? The sql error means that there is more than one table in the sql statement that has a column named "totscore" and so where the command references "totscore" without using a syntax like tablename.totscore to specify which table it means is ambiguous. However, I don't see any definition of a table with a column named totscore other than the one in table "awl" that you linked to. And the full SQL query string is not in the snippet in your pastebin, that is truncated dbg: auto-welcomelist: [...] LINE 1: ...edby, ip) DO UPDATE set msgcount = $6, totscore = totscore +... If you can get the entire SQL command that is in that dbg output, without truncation, it might be more obvious what is going on. Looking at the source code in SQLBasedAddrList.pm, I don't see how the SQL query that it generates can have any ambiguity as to which table totscore refers to, there is just that one table as far as I can tell. https://github.com/apache/spamassassin/blob/trunk/lib/Mail/SpamAssassin/SQLBasedAddrList.pm#L310 imho this line If you can't get the full dbg line, perhaps someone who actually uses SQL based awl might be able to jump in here, that's the limit of what I can figure out. it worked in 3.4.6
Re: awl postgresql
Benny Pedersen wrote on 3/01/23 2:21 pm: https://github.com/apache/spamassassin/blob/trunk/sql/awl_pg.sql#L6 https://www.irccloud.com/pastebin/wRkT4AeI/awl.sql how to solve it ? The sql error means that there is more than one table in the sql statement that has a column named "totscore" and so where the command references "totscore" without using a syntax like tablename.totscore to specify which table it means is ambiguous. However, I don't see any definition of a table with a column named totscore other than the one in table "awl" that you linked to. And the full SQL query string is not in the snippet in your pastebin, that is truncated dbg: auto-welcomelist: [...] LINE 1: ...edby, ip) DO UPDATE set msgcount = $6, totscore = totscore +... If you can get the entire SQL command that is in that dbg output, without truncation, it might be more obvious what is going on. Looking at the source code in SQLBasedAddrList.pm, I don't see how the SQL query that it generates can have any ambiguity as to which table totscore refers to, there is just that one table as far as I can tell. If you can't get the full dbg line, perhaps someone who actually uses SQL based awl might be able to jump in here, that's the limit of what I can figure out.
RE: awl postgresql
> > https://github.com/apache/spamassassin/blob/trunk/sql/awl_pg.sql#L6 > > https://www.irccloud.com/pastebin/wRkT4AeI/awl.sql > > how to solve it ? https://notepad.ltd/asdf23423asdfasdf ;)
awl postgresql
https://github.com/apache/spamassassin/blob/trunk/sql/awl_pg.sql#L6 https://www.irccloud.com/pastebin/wRkT4AeI/awl.sql how to solve it ?
Re: AWL on 3.4
- Message from "Kevin A. McGrail" - There are several CVEs in that version of SA. 3.4.5 is imminent with the release created and votes necessary given. I know I for one will be looking forward to the end of 3.4 branch and the focus on 4.0. Anyway, you might want to upgrade. TxRep works but I agree it has some bugs. I'm hoping to pay more attention to them now that 4.0 is the active codebase. Regards, KAM Thanks Kevin. It is operating and flagging repeats with adjusted txrep as expected, so that is an indicator that it is at least broadly Working as Intended (TM). I've not set txrep_autolearn on yet, will monitor for a while. Simon On Sun, Mar 21, 2021 at 3:04 AM Simon Wilson wrote: - Message from John Hardin - Date: Sat, 20 Mar 2021 08:08:17 -0700 (PDT) From: John Hardin Subject: Re: AWL on 3.4 To: users@spamassassin.apache.org > On Sun, 21 Mar 2021, Simon Wilson wrote: > >> I've just migrated and updated to SA 3.4, and have moved the Bayes >> db to Redis. I used to use AWL but don't think the module is loaded >> in 3.4, am I correct? >> >> There seems to be mixed commentary online about whether to enable >> it - I'll leave it off for a few weeks and see how it goes, but am >> interested in comments on its usefulness? > > It pretty much been replaced by TxRep. - End message from John Hardin - Thanks. I enabled TxRep and will see how it goes. I did run into this bug: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7383 ...where you cannot tell txrep where the tx_reputation file is for systemwide use, but the patch in that bug works, so I have patched the txrep plugin that came with 3.4.2, and it now respects the auto_whitelist_path setting in local.cf. Simon -- Simon Wilson M: 0400 12 11 16 - End message from "Kevin A. McGrail" - -- Simon Wilson M: 0400 12 11 16
Re: AWL on 3.4
There are several CVEs in that version of SA. 3.4.5 is imminent with the release created and votes necessary given. I know I for one will be looking forward to the end of 3.4 branch and the focus on 4.0. Anyway, you might want to upgrade. TxRep works but I agree it has some bugs. I'm hoping to pay more attention to them now that 4.0 is the active codebase. Regards, KAM -- Kevin A. McGrail Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 On Sun, Mar 21, 2021 at 3:04 AM Simon Wilson wrote: > - Message from John Hardin - > Date: Sat, 20 Mar 2021 08:08:17 -0700 (PDT) > From: John Hardin > Subject: Re: AWL on 3.4 > To: users@spamassassin.apache.org > > > > On Sun, 21 Mar 2021, Simon Wilson wrote: > > > >> I've just migrated and updated to SA 3.4, and have moved the Bayes > >> db to Redis. I used to use AWL but don't think the module is loaded > >> in 3.4, am I correct? > >> > >> There seems to be mixed commentary online about whether to enable > >> it - I'll leave it off for a few weeks and see how it goes, but am > >> interested in comments on its usefulness? > > > > It pretty much been replaced by TxRep. > > > - End message from John Hardin - > > > Thanks. I enabled TxRep and will see how it goes. I did run into this bug: > > https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7383 > > ...where you cannot tell txrep where the tx_reputation file is for > systemwide use, but the patch in that bug works, so I have patched the > txrep plugin that came with 3.4.2, and it now respects the > auto_whitelist_path setting in local.cf. > > Simon > > -- > Simon Wilson > M: 0400 12 11 16 > >
Re: AWL on 3.4
- Message from John Hardin - Date: Sat, 20 Mar 2021 08:08:17 -0700 (PDT) From: John Hardin Subject: Re: AWL on 3.4 To: users@spamassassin.apache.org On Sun, 21 Mar 2021, Simon Wilson wrote: I've just migrated and updated to SA 3.4, and have moved the Bayes db to Redis. I used to use AWL but don't think the module is loaded in 3.4, am I correct? There seems to be mixed commentary online about whether to enable it - I'll leave it off for a few weeks and see how it goes, but am interested in comments on its usefulness? It pretty much been replaced by TxRep. - End message from John Hardin - Thanks. I enabled TxRep and will see how it goes. I did run into this bug: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7383 ...where you cannot tell txrep where the tx_reputation file is for systemwide use, but the patch in that bug works, so I have patched the txrep plugin that came with 3.4.2, and it now respects the auto_whitelist_path setting in local.cf. Simon -- Simon Wilson M: 0400 12 11 16
Re: AWL on 3.4
On Sun, 21 Mar 2021 00:36:05 +1000 Simon Wilson wrote: > I've just migrated and updated to SA 3.4, and have moved the Bayes db > to Redis. I used to use AWL but don't think the module is loaded in > 3.4, am I correct? It's just a matter of uncommenting the line in v310.pre I don't think it was ever on by default.
Re: AWL on 3.4
On Sun, 21 Mar 2021, Simon Wilson wrote: I've just migrated and updated to SA 3.4, and have moved the Bayes db to Redis. I used to use AWL but don't think the module is loaded in 3.4, am I correct? There seems to be mixed commentary online about whether to enable it - I'll leave it off for a few weeks and see how it goes, but am interested in comments on its usefulness? It pretty much been replaced by TxRep. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- 294 days since the first private commercial manned orbital mission (SpaceX)
AWL on 3.4
I've just migrated and updated to SA 3.4, and have moved the Bayes db to Redis. I used to use AWL but don't think the module is loaded in 3.4, am I correct? There seems to be mixed commentary online about whether to enable it - I'll leave it off for a few weeks and see how it goes, but am interested in comments on its usefulness? Simon -- Simon Wilson M: 0400 12 11 16
Re: AWL
On 18.10.2019 17.41, Bowie Bailey wrote: On 10/17/2019 2:30 PM, Jari Fredriksson wrote: Just a side note: AWL is deprecated and replaced by TXREP which works in similar fashion but better, Just read through the man page for TXREP, which looks pretty interesting. I'm thinking of switching my system over. Is there a guide somewhere for what you need to do to switch from AWL to TXREP? I know the databases can be reused with a name change, but the docs are a bit vague about which databases to change and what the new names should be. Also, are there any recommended config changes, or are the default values good enough? I do not remember any more what I did, so I can't help. I guess I started using TXREP from scratch and never used AWL because it was bad. -- Statistics means never having to say you're certain.
Re: AWL
On 10/17/2019 2:30 PM, Jari Fredriksson wrote: > > Just a side note: AWL is deprecated and replaced by TXREP which works in > similar fashion but better, > Just read through the man page for TXREP, which looks pretty interesting. I'm thinking of switching my system over. Is there a guide somewhere for what you need to do to switch from AWL to TXREP? I know the databases can be reused with a name change, but the docs are a bit vague about which databases to change and what the new names should be. Also, are there any recommended config changes, or are the default values good enough? -- Bowie
Re: AWL
On 16.10.2019 16.19, John Schmerold wrote: Is the AWL score generated based on the experience of my server, or are other external sources feeding AWL? I have a client, they sent me an email, they were dinged with an AWL of 3.575, my SA server was configured a couple days ago, so it hasn't had much time to auto-learn much of anything, I would whitelist the client, but want to help them improve the deliver-ability of their communications by better understanding what tripping up their SA score. Thanks. Just a side note: AWL is deprecated and replaced by TXREP which works in similar fashion but better,
Re: AWL
On 16 Oct 2019, at 9:19, John Schmerold wrote: Is the AWL score generated based on the experience of my server, or are other external sources feeding AWL? AWL is entirely local. The keys are tuples of the first 3 octets of the client IP and the sender address. On a new server, it is generally a better idea to enable TxRep instead of AWL. I have a client, they sent me an email, they were dinged with an AWL of 3.575, my SA server was configured a couple days ago, so it hasn't had much time to auto-learn much of anything, One message is enough with AWL. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
AWL
Is the AWL score generated based on the experience of my server, or are other external sources feeding AWL? I have a client, they sent me an email, they were dinged with an AWL of 3.575, my SA server was configured a couple days ago, so it hasn't had much time to auto-learn much of anything, I would whitelist the client, but want to help them improve the deliver-ability of their communications by better understanding what tripping up their SA score. Thanks. -- John Schmerold Katy Computer Systems, Inc https://katycomputer.com St Louis
Re: Custom rule based on AWL score
On 24/10/16 16:46, John Hardin wrote: Paul: I haven't looked at the plugin myself yet, but here's a suggestion: have a mode where you can mark a RE as capturing a numeric value, and the rule's hit value is the value that the RE captured. This would (for example) let the AWL/TXREP mean be captured in a way it could be compared using gt/lt in a meta. Perhaps: tagcapnum __TXREP_IP_MEAN_TXREP_IP_MEAN_ /^(-?[\d]+(?:\.\d+)?)$/ metaTAGMATCH_TXREP_IP_HIGHSCORE __TXREP_IP_MEAN > 5.0 describeTAGMATCH_TXREP_IP_HIGHSCORE TXRep mean score quite large score TAGMATCH_TXREP_IP_HIGHSCORE 0.1 (...this sort of thing might be really useful as a general purpose rule type in base SA too...) Hmm doesn't look like this would be possible with minus (-) numbers unless I'm reading the PMS src wrong :/ Paul -- Paul Stead Systems Engineer Zen Internet
Re: Custom rule based on AWL score
On 24/10/16 16:46, John Hardin wrote: Paul: I haven't looked at the plugin myself yet, but here's a suggestion: have a mode where you can mark a RE as capturing a numeric value, and the rule's hit value is the value that the RE captured. This would (for example) let the AWL/TXREP mean be captured in a way it could be compared using gt/lt in a meta. Perhaps: tagcapnum __TXREP_IP_MEAN_TXREP_IP_MEAN_ /^(-?[\d]+(?:\.\d+)?)$/ metaTAGMATCH_TXREP_IP_HIGHSCORE __TXREP_IP_MEAN > 5.0 describeTAGMATCH_TXREP_IP_HIGHSCORE TXRep mean score quite large score TAGMATCH_TXREP_IP_HIGHSCORE 0.1 (...this sort of thing might be really useful as a general purpose rule type in base SA too...) Thanks for the suggestion John - this looks like an elegant solution to the problem, I'll look into this at some point soon. Paul -- Paul Stead Systems Engineer Zen Internet
Re: Custom rule based on AWL score
On Mon, 24 Oct 2016, SimpleRezo wrote: So, to the OP: try the tagmatch plugin to look at where _AWLMEAN_ is (e.g.) <= -1 and _AWLCOUNT_ is greater than (e.g.) 10 and that may get you what you want for a meta to use with the rules you want to control. Thank you Paul & John, it looks like I will be able to achieve what I want with tagmatch & _AWL* tags ! Paul, will be awesome to be able to do gt/lt (of course for now I can deal with regexp to achieve this) Paul: I haven't looked at the plugin myself yet, but here's a suggestion: have a mode where you can mark a RE as capturing a numeric value, and the rule's hit value is the value that the RE captured. This would (for example) let the AWL/TXREP mean be captured in a way it could be compared using gt/lt in a meta. Perhaps: tagcapnum __TXREP_IP_MEAN_TXREP_IP_MEAN_ /^(-?[\d]+(?:\.\d+)?)$/ metaTAGMATCH_TXREP_IP_HIGHSCORE __TXREP_IP_MEAN > 5.0 describeTAGMATCH_TXREP_IP_HIGHSCORE TXRep mean score quite large score TAGMATCH_TXREP_IP_HIGHSCORE 0.1 (...this sort of thing might be really useful as a general purpose rule type in base SA too...) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When designing software, any time you think to yourself "a user would never be stupid enough to do *that*", you're wrong. --- 307 days since the first successful real return to launch site (SpaceX)
Re: Custom rule based on AWL score
>So, to the OP: try the tagmatch plugin to look at where _AWLMEAN_ is >(e.g.) <= -1 and _AWLCOUNT_ is greater than (e.g.) 10 and that may get you >what you want for a meta to use with the rules you want to control. Thank you Paul & John, it looks like I will be able to achieve what I want with tagmatch & _AWL* tags ! Paul, will be awesome to be able to do gt/lt (of course for now I can deal with regexp to achieve this) -- SimpleRezo https://www.simplerezo.com/ - -- SimpleRezo http://www.simplerezo.com/ -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Custom-rule-based-on-AWL-score-tp123087p123131.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Custom rule based on AWL score
On Fri, 21 Oct 2016, Paul Stead wrote: On 21/10/16 18:40, Paul Stead wrote: On 21/10/16 16:22, John Hardin wrote: > I was going to say: you can't write a rule based on the *current* AWL > adjustment because that's calculated after all the rules have hit. But > SA *could* potentially have a rule that checks the current historical > average that AWL uses... > > I suggest you file a New Feature bug to expose a mechanism to use the > current AWL average (not the per-message adjustment) in a rule. Yikes, sorry in my haste I didn't read *AWL* https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_AWL.html#template_tags So, to the OP: try the tagmatch plugin to look at where _AWLMEAN_ is (e.g.) <= -1 and _AWLCOUNT_ is greater than (e.g.) 10 and that may get you what you want for a meta to use with the rules you want to control. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The third basic rule of firearms safety: Keep your booger hook off the bang switch! --- 304 days since the first successful real return to launch site (SpaceX)
Re: Custom rule based on AWL score
On 21/10/16 18:40, Paul Stead wrote: On 21/10/16 16:22, John Hardin wrote: I was going to say: you can't write a rule based on the *current* AWL adjustment because that's calculated after all the rules have hit. But SA *could* potentially have a rule that checks the current historical average that AWL uses... I suggest you file a New Feature bug to expose a mechanism to use the current AWL average (not the per-message adjustment) in a rule. Yikes, sorry in my haste I didn't read *AWL* https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_AWL.html#template_tags Paul -- Paul Stead Systems Engineer Zen Internet
Re: Custom rule based on AWL score
On 21/10/16 18:53, Paul Stead wrote:
tagmatch TAGMATCH_TXREP_IP_LOWSCORE _TXREP_IP_MEAN_
/^\-[0-9]{2,}(?:\.[0-9]+)?$/
describe TAGMATCH_TXREP_IP_LOWSCORE TxRep mean score quite low
scoreTAGMATCH_TXREP_IP_HIGHSCORE -0.1
Also - typo on score rulename!
--
Paul Stead
Systems Engineer
Zen Internet
Re: Custom rule based on AWL score
On 21/10/16 18:40, Paul Stead wrote:
A plugin I've developed could be handy here:
https://github.com/fmbla/spamassassin-tagmatch
tagmatch TAGMATCH_TXREP_IP_HIGHSCORE _TXREP_IP_MEAN_
/^[1-9][0-9]+(?:\.[0-9]+)?$/
describe TAGMATCH_TXREP_IP_HIGHSCORE TXRep mean score quite large
scoreTAGMATCH_TXREP_IP_HIGHSCORE 0.1
tagmatch TAGMATCH_TXREP_IP_LOWSCORE _TXREP_IP_MEAN_
/^\-[0-9]{2,}(?:\.[0-9]+)?$/
describe TAGMATCH_TXREP_IP_LOWSCORE TxRep mean score quite low
scoreTAGMATCH_TXREP_IP_HIGHSCORE -0.1
tagmatch TAGMATCH_TXREP_IP_UNKNOWN _TXREP_IP_UNKNOWN_ /^1$/
describe TAGMATCH_TXREP_IP_UNKNOWN IP unknown to TxRep
scoreTAGMATCH_TXREP_IP_UNKNOWN 0.1
As an aside - this alone shouldn't be used to blacklist/whitelist as the
mean doesn't take into account the number of emails it's seen, maybe
meta a few tag matches together
tagmatch __TAGMATCH_TXREP_IP_COUNT_LOTS _TXREP_IP_COUNT_ /^[1-9][0-9]{2,}$/
tagmatch __TAGMATCH_TXREP_IP_HIGHSCORE _TXREP_IP_MEAN_
/^[1-9][0-9]+(?:\.[0-9]+)?$/
Will work - I don't have gt/lt functions built in yet, if people think
it worth it I'll have a play after the weekend
Paul
--
Paul Stead
Systems Engineer
Zen Internet
Re: Custom rule based on AWL score
On 21/10/16 16:22, John Hardin wrote:
I was going to say: you can't write a rule based on the *current* AWL
adjustment because that's calculated after all the rules have hit. But
SA *could* potentially have a rule that checks the current historical
average that AWL uses...
I suggest you file a New Feature bug to expose a mechanism to use the
current AWL average (not the per-message adjustment) in a rule.
A plugin I've developed could be handy here:
https://github.com/fmbla/spamassassin-tagmatch
tagmatch TAGMATCH_TXREP_IP_HIGHSCORE _TXREP_IP_MEAN_
/^[1-9][0-9]+(?:\.[0-9]+)?$/
describe TAGMATCH_TXREP_IP_HIGHSCORE TXRep mean score quite large
scoreTAGMATCH_TXREP_IP_HIGHSCORE 0.1
tagmatch TAGMATCH_TXREP_IP_LOWSCORE _TXREP_IP_MEAN_ /^\-[0-9]{2,}(?:\.[0-9]+)?$/
describe TAGMATCH_TXREP_IP_LOWSCORE TxRep mean score quite low
scoreTAGMATCH_TXREP_IP_HIGHSCORE -0.1
tagmatch TAGMATCH_TXREP_IP_UNKNOWN _TXREP_IP_UNKNOWN_ /^1$/
describe TAGMATCH_TXREP_IP_UNKNOWN IP unknown to TxRep
scoreTAGMATCH_TXREP_IP_UNKNOWN 0.1
You can use the other TXREP Tags of course (and any other tags provided
by plugins):
https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_TxRep.html#template_tags
Paul
--
Paul Stead
Systems Engineer
Zen Internet
Re: Custom rule based on AWL score
On Fri, 21 Oct 2016, Axb wrote: On 10/21/2016 04:43 PM, Bill Cole wrote: The blocker to that approach has already been stated: they have no mechanism for users to add their contacts to the SA static whitelist. Imo, this you'd normally do at MTA and/or glue level to bypass expensive SA content scanning and save time & cycles. +1 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Anyone who uses the word "profit" as a dirty word should be watched very, very carefully. If they hate the idea of gain through free trade it can only mean that they’re looking to get it through robbery. -- Lyle@Ultimak --- 304 days since the first successful real return to launch site (SpaceX)
Re: Custom rule based on AWL score
On Fri, 21 Oct 2016, Kevin Golding wrote: On Fri, 21 Oct 2016 11:48:41 +0100, simplerezo <simpler...@gmail.com> wrote: > very unknown users can't by definition hit AWL. That's why my wanted rule is score(AWL) > -1 : all users that have not yet send enough not-spam mails can not, for example, send me invoices as zip attachment (yes, there is some big company that are actually sending invoice that way...). You can hook into the AWL database pretty easily. I used to run a plugin that did similar to what you're trying to achieve that just polled the AWL database and set a flag to trigger a rule with a static score - then you can go meta crazy with it. I was going to say: you can't write a rule based on the *current* AWL adjustment because that's calculated after all the rules have hit. But SA *could* potentially have a rule that checks the current historical average that AWL uses... I suggest you file a New Feature bug to expose a mechanism to use the current AWL average (not the per-message adjustment) in a rule. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Precision mis-clicks since 1994! --- 304 days since the first successful real return to launch site (SpaceX)
Re: Custom rule based on AWL score
On 10/21/2016 04:43 PM, Bill Cole wrote: The blocker to that approach has already been stated: they have no mechanism for users to add their contacts to the SA static whitelist. Imo, this you'd normally do at MTA and/or glue level to bypass expensive SA content scanning and save time & cycles. Axb
Re: Custom rule based on AWL score
On 20 Oct 2016, at 12:14, Ian Zimmerman wrote: Whitelisted senders get a _huge_ bonus (I think it's 100 points by default, maybe customizable), so they won't be affected if you do it right. The blocker to that approach has already been stated: they have no mechanism for users to add their contacts to the SA static whitelist. The problem with using the AWL or TxRep databases for this is that they cut both ways and are TOO automatic. This is a legitimate need that lacks a really good solution inside SpamAssassin because it needs to draw on end-user knowledge to exempt specific messages from exterior border filtering. The canonical solution would be to give users a way to feed their important contacts into a static whitelist but as far as I know, there's no widely-used tool for doing that with SA. Everyone seems to build their own idiosyncratic mechanisms for user feedback or they have none. If one has an existing mechanism for automating user feedback of missed spam into the BayesDB, it could in principle be inverted to let users report mail that should be learned as ham, but that's not really ideal for this case because the problem is in content patterns that are common between the most valuabler and most dangerous messages. Learning a lot of legitimate invoices or other important mail as ham will help the best-crafted spear-phishing messages as well. Also, this is a bit hypothetical given how many users just don't bother with feedback tools or misreport messages. An alternative (imperfect) approach would be to use a meta rule making the anti-phish local rules strong only if a message lacks trustworthy authentication, e.g. DKIM_VALID_AU. Obviously this will catch legitimate but unsigned mail, however as long as one either tags and delivers spam or rejects it in SMTP, that will provide notice and incentive to get legitimate correspondents to sign their mail. In principle it would be wise for everyone to encrypt all high-value mail, but that's probably too high a bar to require for most businesses. I've seen that tried to some degree, requiring anyone invoicing via email to encrypt invoice mail, but it largely pushed vendors back to postal and non-email electronic mechanisms rather than got them to behave securely.
Re: Custom rule based on AWL score
On 10/21/2016 6:48 AM, simplerezo wrote: it also helps frequent spammers known to spam to prevent false negative. Absolutely. very unknown users can't by definition hit AWL. That's why my wanted rule is score(AWL) > -1 : all users that have not yet send enough not-spam mails can not, for example, send me invoices as zip attachment (yes, there is some big company that are actually sending invoice that way...). So the spammer who has previously been sending spams with an average score of 6 now sends one scoring 10. AWL assigns a score of -2 and you allow it through. Sender sends a more spammy message than usual = negative AWL score Sender sends a less spammy message than usual = positive AWL score The AWL score has *NOTHING* to do with the reputation of the sender. It is based on the difference between the current score and the sender's previous average score. It sounds like what you really want is to get the AWL average for the current sender. You may be able to pull that from the AWL database with a plugin, but this is not the same thing as the score. -- Bowie
Re: R: Custom rule based on AWL score
On 20/10/16 17:44, Nicola Piazzi wrote: Why not try my powerful plugin to reduce score of known users ? Is based on people that answer to us and in my case, after 3 week of learning, it HIT 70% of incoming messages that are absolutely ham Looks really interesting. How it behaves in ipv6 environment? Given that it tries to extract C class from IP address. Will it just silently skip the check or crash miserably? k.
Re: Custom rule based on AWL score
On Fri, 21 Oct 2016 03:48:41 -0700 (MST) simplerezo wrote: > > it also helps frequent spammers known to spam to prevent false > > negative. > > Absolutely. > > > very unknown users can't by definition hit AWL. > > That's why my wanted rule is score(AWL) > -1 : all users that have > not yet send enough not-spam mails can not, for example, send me > invoices as zip attachment (yes, there is some big company that are > actually sending invoice that way...). Spam that hits AWL can have a negative AWL score too. It may be that more ham than spam hits AWL, but you can't infer anything from the rule's score. > I'm not a huge-fan of whitelist, because: >- contrary of AWL (address + IP), it only rely on sending > address... and as everyone knows, that's definitely not something > very trustable ; It's actually the other way around. There are whitelists based on dkim and spf which are very hard to beat. AWL uses the first IP address which can be forged. A lot of people switched to the TxRep plugin for that reason.
Re: Custom rule based on AWL score
> it also helps frequent spammers known to spam to prevent false negative. Absolutely. > very unknown users can't by definition hit AWL. That's why my wanted rule is score(AWL) > -1 : all users that have not yet send enough not-spam mails can not, for example, send me invoices as zip attachment (yes, there is some big company that are actually sending invoice that way...). I'm not a huge-fan of whitelist, because: - contrary of AWL (address + IP), it only rely on sending address... and as everyone knows, that's definitely not something very trustable ; - this requires my users to configure this, and most of them are already finding IT too much complicated :) -- Clement SimpleRezo http://www.simplerezo.com/ -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Custom-rule-based-on-AWL-score-tp123087p123102.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Custom rule based on AWL score
On 20.10.16 08:34, simplerezo wrote: My understanding is that AWL is helping frequent senders who are known to not send spam to "reduce" their spam score, preventing false positive. it also helps frequent spammers known to spam to prevent false negative. That's exactly what I want to rely on for my rules: adding score for mail with "invoice" pretention and an attachment but only for very unknown users (or spammers). very unknown users can't by definition hit AWL. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of.
Re: Custom rule based on AWL score
On Thu, 20 Oct 2016, Bowie Bailey wrote: On 10/20/2016 12:55 PM, David B Funk wrote: On Thu, 20 Oct 2016, John Hardin wrote: > On Thu, 20 Oct 2016, Ian Zimmerman wrote: > > > On 2016-10-20 08:34, simplerezo wrote: > > > > > My understanding is that AWL is helping frequent senders who are > > > known > > > to not send spam to "reduce" their spam score, preventing false > > > positive. That's exactly what I want to rely on for my rules: adding > > > score for mail with "invoice" pretention and an attachment but only > > > for very unknown users (or spammers). > > > > Just add your custom rules globally, with reasonable scores. > > > > Whitelisted senders get a _huge_ bonus (I think it's 100 points by > > default, maybe customizable), so they won't be affected if you do it > > right. > > ITYM -100 points. :) > > Small but important detail... :) which is why I like the "dev_whitelist*" variety. They have a value of -7.5 (instead of that -100 sledgehammer) which is usually enough to get legit mail thru but not enough to swamp out a major rules hit on real spam (which happens to get issued by the people you're trying to protect). EG: def_whitelist_auth *@nih.gov Interesting, but completely irrelevant here since we're talking about AWL and *not* the normal whitelist rules. AWL scores are dynamic and can be either positive or negative. Yes but the OP's problem would *probably* be addressed by whitelisting the senders rather than trying to ignore specific rules based on AWL, which cannot at present be done. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A superior gunman is one who uses his superior judgment to keep himself out of situations that would require the use of his superior skills. --- 303 days since the first successful real return to launch site (SpaceX)
Re: Custom rule based on AWL score
On 10/20/2016 12:55 PM, David B Funk wrote: On Thu, 20 Oct 2016, John Hardin wrote: On Thu, 20 Oct 2016, Ian Zimmerman wrote: On 2016-10-20 08:34, simplerezo wrote: My understanding is that AWL is helping frequent senders who are known to not send spam to "reduce" their spam score, preventing false positive. That's exactly what I want to rely on for my rules: adding score for mail with "invoice" pretention and an attachment but only for very unknown users (or spammers). Just add your custom rules globally, with reasonable scores. Whitelisted senders get a _huge_ bonus (I think it's 100 points by default, maybe customizable), so they won't be affected if you do it right. ITYM -100 points. :) Small but important detail... :) which is why I like the "dev_whitelist*" variety. They have a value of -7.5 (instead of that -100 sledgehammer) which is usually enough to get legit mail thru but not enough to swamp out a major rules hit on real spam (which happens to get issued by the people you're trying to protect). EG: def_whitelist_auth *@nih.gov Interesting, but completely irrelevant here since we're talking about AWL and *not* the normal whitelist rules. AWL scores are dynamic and can be either positive or negative. -- Bowie
Re: R: Custom rule based on AWL score
On 10/20/2016 06:44 PM, Nicola Piazzi wrote: Why not try my powerful plugin to reduce score of known users ? Is based on people that answer to us and in my case, after 3 week of learning, it HIT 70% of incoming messages that are absolutely ham http://saplugin.16mb.com/ If you mean your OW plugin The fact that "It can be used ONLY when the spamassassin installation is in the same smarthost that deliver both incoming and outgoing emails." rules out its usage in many larger setups. Pity... Axv
Re: Custom rule based on AWL score
On Thu, 20 Oct 2016, John Hardin wrote:
On Thu, 20 Oct 2016, Ian Zimmerman wrote:
On 2016-10-20 08:34, simplerezo wrote:
My understanding is that AWL is helping frequent senders who are known
to not send spam to "reduce" their spam score, preventing false
positive. That's exactly what I want to rely on for my rules: adding
score for mail with "invoice" pretention and an attachment but only
for very unknown users (or spammers).
Just add your custom rules globally, with reasonable scores.
Whitelisted senders get a _huge_ bonus (I think it's 100 points by
default, maybe customizable), so they won't be affected if you do it
right.
ITYM -100 points. :)
Small but important detail... :)
which is why I like the "dev_whitelist*" variety. They have a value of -7.5
(instead of that -100 sledgehammer) which is usually enough to get legit mail
thru but not enough to swamp out a major rules hit on real spam (which happens
to get issued by the people you're trying to protect).
EG:
def_whitelist_auth *@nih.gov
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
R: Custom rule based on AWL score
Why not try my powerful plugin to reduce score of known users ? Is based on people that answer to us and in my case, after 3 week of learning, it HIT 70% of incoming messages that are absolutely ham http://saplugin.16mb.com/ Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it -Messaggio originale- Da: John Hardin [mailto:jhar...@impsec.org] Inviato: giovedì 20 ottobre 2016 18:36 A: users@spamassassin.apache.org Oggetto: Re: Custom rule based on AWL score On Thu, 20 Oct 2016, Ian Zimmerman wrote: > On 2016-10-20 08:34, simplerezo wrote: > >> My understanding is that AWL is helping frequent senders who are >> known to not send spam to "reduce" their spam score, preventing false >> positive. That's exactly what I want to rely on for my rules: adding >> score for mail with "invoice" pretention and an attachment but only >> for very unknown users (or spammers). > > Just add your custom rules globally, with reasonable scores. > > Whitelisted senders get a _huge_ bonus (I think it's 100 points by > default, maybe customizable), so they won't be affected if you do it > right. ITYM -100 points. :) Small but important detail... :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- No representation without taxation! --- 303 days since the first successful real return to launch site (SpaceX)
Re: Custom rule based on AWL score
On Thu, 20 Oct 2016, Ian Zimmerman wrote: On 2016-10-20 08:34, simplerezo wrote: My understanding is that AWL is helping frequent senders who are known to not send spam to "reduce" their spam score, preventing false positive. That's exactly what I want to rely on for my rules: adding score for mail with "invoice" pretention and an attachment but only for very unknown users (or spammers). Just add your custom rules globally, with reasonable scores. Whitelisted senders get a _huge_ bonus (I think it's 100 points by default, maybe customizable), so they won't be affected if you do it right. ITYM -100 points. :) Small but important detail... :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- No representation without taxation! --- 303 days since the first successful real return to launch site (SpaceX)
Re: Custom rule based on AWL score
On Thu, 20 Oct 2016 08:34:04 -0700 (MST) simplerezo wrote: > My understanding is that AWL is helping frequent senders who are > known to not send spam to "reduce" their spam score, preventing false > positive. Which is why I pointed you towards a short paragraph that describes what it actually does: "This plugin module provides support for the auto-whitelist. It keeps track of the average SpamAssassin score for senders. Senders are tracked using a combination of their From: address and their IP address. It then uses that average score to reduce the variability in scoring from message to message and modifies the final score by pushing the result towards the historical average. This improves the accuracy of filtering for most email."
Re: Custom rule based on AWL score
On 2016-10-20 08:34, simplerezo wrote: > My understanding is that AWL is helping frequent senders who are known > to not send spam to "reduce" their spam score, preventing false > positive. That's exactly what I want to rely on for my rules: adding > score for mail with "invoice" pretention and an attachment but only > for very unknown users (or spammers). Just add your custom rules globally, with reasonable scores. Whitelisted senders get a _huge_ bonus (I think it's 100 points by default, maybe customizable), so they won't be affected if you do it right. -- Please *no* private Cc: on mailing lists and newsgroups Personal signed mail: please _encrypt_ and sign Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html
Re: Custom rule based on AWL score
My understanding is that AWL is helping frequent senders who are known to not send spam to "reduce" their spam score, preventing false positive. That's exactly what I want to rely on for my rules: adding score for mail with "invoice" pretention and an attachment but only for very unknown users (or spammers). -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Custom-rule-based-on-AWL-score-tp123087p123091.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Custom rule based on AWL score
On Thu, 20 Oct 2016 08:01:17 -0700 (MST) simplerezo wrote: > Because our users cannot easyly add all theirs contacts to whitelist. > > AWL is a great feature, and it's working well: so it would be nice > for us to put some restrictives rules only active for "unknown" users > (example: "invoices" ...). I don't think you understand what AWL actually does. Read the description section of: https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_AWL.html
Re: Custom rule based on AWL score
Because our users cannot easyly add all theirs contacts to whitelist. AWL is a great feature, and it's working well: so it would be nice for us to put some restrictives rules only active for "unknown" users (example: "invoices" ...). -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Custom-rule-based-on-AWL-score-tp123087p123089.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Custom rule based on AWL score
On Thu, 20 Oct 2016 03:55:29 -0700 (MST) simplerezo wrote: > Hi, > > Is it possible to write rule based on AWL score? No > We have some customs rules that we don't want to enable for > "well-known" contacts... Why not just whitelist them?
Custom rule based on AWL score
Hi, Is it possible to write rule based on AWL score? We have some customs rules that we don't want to enable for "well-known" contacts... I tried this: metaSR__AWL ( AWL <= -1 ) describeSR__AWL AWL is at least -1 score SR__AWL -0.01 But it does not seems to work... -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Custom-rule-based-on-AWL-score-tp123087.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: AWL on per-user basis
Good day! You were completely right: after I added '-u debian-spamd' (this user was automatically created at the time of package installation) to the spamd start string in the /etc/default/spamassassin AWL started working right as expected. The database is now filled almost as expected: *** 9. row *** username: m...@mmm.mmm email: f...@fff.fff ip: none count: 1 totscore: 0.179 signedby: Thank you for your advice! What bothers me now are the values of the 'ip' and 'signedby' fields: I don't seem to understand what they are needed for and whether the data that they contain is of any importance? If there is a link to read, I will be glad to follow it. I have a suspicion that IP address will be set as soon as I will start sending and receiving mail to/from remote hosts that are not on my 'allowed-ips' list. Can you confirm? Unfortunately, I can't test receiving right now -- I'm on a development environment. But what about the 'signedby' field? Boris On 16 January 2016 at 17:36, RW <rwmailli...@googlemail.com> wrote: > On Sat, 16 Jan 2016 15:07:36 +0300 > ? wrote: > > > > No, spamd is running as user "root", so I don't have the "-u" key > > anywhere in the smapd configs. I'm sorry for not making this clear > > enough. > > > > What I meant to say is that when I send or receive a message through > > my Exim (on the remote host) it passes the message to the spamd by > > calling a locally installed (i.e. installed on the same host where > > Exim is) spamc binary with the following command: "spamc > > -F /etc/spamc/spamc.conf -u $local_part@$domain". Unfortunately, I am > > still unable to get this setup working properly with AWL, as username > > in the AWL table is set to "nobody". > > > Running spamd without -u is intended to support unix account users. In > this case the spamd child process drops its privileges from root to the > user running spamc or the user specified by spamc -u. This allows spamd > to access home directories without running as root. Probably what's > happening is that as $local_part@$domain isn't a unix user, spamd is > overriding it with the unix user "nobody" to avoid scanning an email as > root. > > You should be running spamd with "-u spamd" which causes spamd to drop > its privileges to the unprivileged user spamd after it has bound to > the default port (it's usually called spamd, but your spamassassin > package may have created some other user for this purpose). When you do > this, the user in spamc -u can be treated as a virtual user. > > > >
Re: AWL on per-user basis
Good day! Thanks for your reply. No, spamd is running as user "root", so I don't have the "-u" key anywhere in the smapd configs. I'm sorry for not making this clear enough. What I meant to say is that when I send or receive a message through my Exim (on the remote host) it passes the message to the spamd by calling a locally installed (i.e. installed on the same host where Exim is) spamc binary with the following command: "spamc -F /etc/spamc/spamc.conf -u $local_part@$domain". Unfortunately, I am still unable to get this setup working properly with AWL, as username in the AWL table is set to "nobody". Looking forward to your reply, Boris On 14 January 2016 at 17:49, RW <rwmailli...@googlemail.com> wrote: > On Thu, 14 Jan 2016 10:21:44 +0300 > ? wrote: > > > I'm using Spamassassin 3.4.0 on Debian Jessie and trying to set up AWL > > stored in SQL on a per-user basis. My setup is as follows: > > > > 1) Spamassassin is run as 'spamd' on behalf of user root, the options > > string is as follows: > > Is spamd getting "-u spamd" or "--username=spamd" from some other > part of the configuration? In my experience you still need this even if > you start the daemon directly as spamd. > > > OPTIONS="-D --create-prefs -x -q -Q --max-children 5 > > --helper-home-dir -i --allow-tell > > --allowed-ips=" >
Re: AWL on per-user basis
On Sat, 16 Jan 2016 15:07:36 +0300 ? wrote: > No, spamd is running as user "root", so I don't have the "-u" key > anywhere in the smapd configs. I'm sorry for not making this clear > enough. > > What I meant to say is that when I send or receive a message through > my Exim (on the remote host) it passes the message to the spamd by > calling a locally installed (i.e. installed on the same host where > Exim is) spamc binary with the following command: "spamc > -F /etc/spamc/spamc.conf -u $local_part@$domain". Unfortunately, I am > still unable to get this setup working properly with AWL, as username > in the AWL table is set to "nobody". Running spamd without -u is intended to support unix account users. In this case the spamd child process drops its privileges from root to the user running spamc or the user specified by spamc -u. This allows spamd to access home directories without running as root. Probably what's happening is that as $local_part@$domain isn't a unix user, spamd is overriding it with the unix user "nobody" to avoid scanning an email as root. You should be running spamd with "-u spamd" which causes spamd to drop its privileges to the unprivileged user spamd after it has bound to the default port (it's usually called spamd, but your spamassassin package may have created some other user for this purpose). When you do this, the user in spamc -u can be treated as a virtual user.
Re: AWL on per-user basis
On Thu, 14 Jan 2016 10:21:44 +0300 ? wrote: > I'm using Spamassassin 3.4.0 on Debian Jessie and trying to set up AWL > stored in SQL on a per-user basis. My setup is as follows: > > 1) Spamassassin is run as 'spamd' on behalf of user root, the options > string is as follows: Is spamd getting "-u spamd" or "--username=spamd" from some other part of the configuration? In my experience you still need this even if you start the daemon directly as spamd. > OPTIONS="-D --create-prefs -x -q -Q --max-children 5 > --helper-home-dir -i --allow-tell > --allowed-ips="
AWL on per-user basis
I'm using Spamassassin 3.4.0 on Debian Jessie and trying to set up AWL stored in SQL on a per-user basis. My setup is as follows: 1) Spamassassin is run as 'spamd' on behalf of user root, the options string is as follows: OPTIONS="-D --create-prefs -x -q -Q --max-children 5 --helper-home-dir -i --allow-tell --allowed-ips=" 2) Spamd is called by spamc (evoked by Exim) over TCP from one of the MY_REMOTE_IPS host as follows: /usr/bin/spamc -F /etc/spamc/spamc.conf -u $local_part@$domain 3) The contents of /etc/spamc/spamc.conf is as follows: === spamc.conf === # Hosts to connect to -d -t 150 -n 150 --headers Lets say, I'm sending a message from a...@aaa.aaa to f...@fff.fff. The problem I'm facing with is that when AWL table is filled in, the 'username' field is updated with 'nobody' string while I would expect it to become 'f...@fff.fff'. At the same time, 'email' field is updated with 'a...@aaa.aaa', exactly as I expected it to. I know about the option 'user_awl_sql_override_username' but not sure if I can set it to some variable that contains the username that was passed by Exim? Otherwise I found this message: http://www.gossamer-threads.com/lists/spamassassin/users/105838?search_string=AWL%20username%20nobody;#105838. According to it, I can't have per-user AWL in my setup. So, is it possible to create a per-user AWL in a global database? Any hint would be much appreciated! B.R. Boris
Re: AWL ?
On 12/23/2015 2:09 PM, Robert Schetterer wrote: i ve read some bug reports , any recent news to this ? Unfortunately, no. Bug at https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7164 has gruesome details. Regards, KAM
Re: AWL ?
On 12/23/2015 10:53 AM, Olivier CALVANO wrote: Hi i have installed a new server on Centos with Postfix/Amavisd and SpamAssassin my problems, 90% of mail are tagged spam: X-Spam-Flag: YES X-Spam-Score: 22.876 X-Spam-Level: ** X-Spam-Status: Yes, score=22.876 required=5.0 tests=[AWL=20.375, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, CLASSIC_SUJET_GENERAL_1=2.5] autolearn=no autolearn_force=no this mail is a very simple mail. What is AWL ? why score is very big ? thanks Olivier AWL is a poorly-named and deprecated module that does score averaging. It's been replaced by TxRep which does a better job at keeping scores sane. What likely happened is the sender of the email has a very bad reputation carried over from previous emails to you being marked as spam. Clearing your AWL database will fix it as a short-term measure.
AWL ?
Hi i have installed a new server on Centos with Postfix/Amavisd and SpamAssassin my problems, 90% of mail are tagged spam: X-Spam-Flag: YES X-Spam-Score: 22.876 X-Spam-Level: ** X-Spam-Status: Yes, score=22.876 required=5.0 tests=[AWL=20.375, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, CLASSIC_SUJET_GENERAL_1=2.5] autolearn=no autolearn_force=no this mail is a very simple mail. What is AWL ? why score is very big ? thanks Olivier
Re: AWL ?
Am 23.12.2015 um 17:41 schrieb Reindl Harald: > > > Am 23.12.2015 um 17:33 schrieb Olivier CALVANO: >> Thanks, i clear the AWL and now it's good >> thanks >> >> for TxRep, do you know where i can find this module and the >> documentation ? > > enter "TxRep" in google leads to > https://wiki.apache.org/spamassassin/TxRep > > [root@localhost:~]$ locate TxRep > /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/TxRep.pm > > [root@localhost:/etc/mail/spamassassin]$ find.sh TxRep pre > /etc/mail/spamassassin/v341.pre > > /etc/mail/spamassassin/v341.pre > [root@localhost:/etc/mail/spamassassin]$ cat > /etc/mail/spamassassin/v341.pre | grep -i TxRep > # TxRep - Reputation database that replaces AWL > # loadplugin Mail::SpamAssassin::Plugin::TxRep > [root@mail-gw:/etc/mail/spamassassin]$ > > hm looks like some stuff isnt fixed final Use of uninitialized value $msgscore in addition (+) at /usr/share/perl5/Mail/SpamAssassin/Plugin/TxRep.pm line 1415 i ve read some bug reports , any recent news to this ? Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: AWL ?
Am 23.12.2015 um 17:33 schrieb Olivier CALVANO: Thanks, i clear the AWL and now it's good thanks for TxRep, do you know where i can find this module and the documentation ? enter "TxRep" in google leads to https://wiki.apache.org/spamassassin/TxRep [root@localhost:~]$ locate TxRep /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/TxRep.pm [root@localhost:/etc/mail/spamassassin]$ find.sh TxRep pre /etc/mail/spamassassin/v341.pre /etc/mail/spamassassin/v341.pre [root@localhost:/etc/mail/spamassassin]$ cat /etc/mail/spamassassin/v341.pre | grep -i TxRep # TxRep - Reputation database that replaces AWL # loadplugin Mail::SpamAssassin::Plugin::TxRep [root@mail-gw:/etc/mail/spamassassin]$ signature.asc Description: OpenPGP digital signature
Re: AWL ?
What version of spamassassin are you using as it was added to the standard package. You might have better luck with trunk or waiting for 3.4.2. Regards, KAM On December 23, 2015 11:33:21 AM EST, Olivier CALVANO <o.calv...@gmail.com> wrote: >Thanks, i clear the AWL and now it's good >thanks > >for TxRep, do you know where i can find this module and the >documentation ? > >2015-12-23 16:57 GMT+01:00 Joe Quinn <jqu...@pccc.com>: > >> On 12/23/2015 10:53 AM, Olivier CALVANO wrote: >> >>> Hi >>> >>> i have installed a new server on Centos with Postfix/Amavisd and >>> SpamAssassin >>> >>> my problems, 90% of mail are tagged spam: >>> >>> X-Spam-Flag: YES >>> X-Spam-Score: 22.876 >>> X-Spam-Level: ** >>> X-Spam-Status: Yes, score=22.876 required=5.0 tests=[AWL=20.375, >>> FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, >RP_MATCHES_RCVD=-0.001, >>> CLASSIC_SUJET_GENERAL_1=2.5] autolearn=no autolearn_force=no >>> >>> >>> this mail is a very simple mail. >>> >>> What is AWL ? why score is very big ? >>> >>> thanks >>> Olivier >>> >>> AWL is a poorly-named and deprecated module that does score >averaging. >> It's been replaced by TxRep which does a better job at keeping scores >sane. >> What likely happened is the sender of the email has a very bad >reputation >> carried over from previous emails to you being marked as spam. >Clearing >> your AWL database will fix it as a short-term measure. >>
Re: AWL ?
Thanks, i clear the AWL and now it's good thanks for TxRep, do you know where i can find this module and the documentation ? 2015-12-23 16:57 GMT+01:00 Joe Quinn <jqu...@pccc.com>: > On 12/23/2015 10:53 AM, Olivier CALVANO wrote: > >> Hi >> >> i have installed a new server on Centos with Postfix/Amavisd and >> SpamAssassin >> >> my problems, 90% of mail are tagged spam: >> >> X-Spam-Flag: YES >> X-Spam-Score: 22.876 >> X-Spam-Level: ****** >> X-Spam-Status: Yes, score=22.876 required=5.0 tests=[AWL=20.375, >> FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, >> CLASSIC_SUJET_GENERAL_1=2.5] autolearn=no autolearn_force=no >> >> >> this mail is a very simple mail. >> >> What is AWL ? why score is very big ? >> >> thanks >> Olivier >> >> AWL is a poorly-named and deprecated module that does score averaging. > It's been replaced by TxRep which does a better job at keeping scores sane. > What likely happened is the sender of the email has a very bad reputation > carried over from previous emails to you being marked as spam. Clearing > your AWL database will fix it as a short-term measure. >
Re: Strange behaviour by the AWL module
On 12/12/15 23:43, Benny Pedersen wrote: On December 12, 2015 8:33:28 PM Sebastian Arcus <s.ar...@open-t.co.uk> wrote: I guess I must be using the default settings - as I don't think I've configured anything in particular for AWL change default /16 cidr to new default /24 for ipv4, for ipv6 use /64, if you like to track on /32 for ipv4 then each ipv4 wil, have no shared awl scores possible also change defaul awl faktory from 0.5 to 0.25 will reduce how much benefit from previous score if changeing settings, delete awl db Thank you - for the time being I've disabled the AWL module - as I've worked out that on my type of setup it doesn't appear to be really needed.
Re: Strange behaviour by the AWL module
On 12/12/15 19:57, John Hardin wrote: On Sat, 12 Dec 2015, Sebastian Arcus wrote: On 12/12/15 18:21, John Hardin wrote: On Sat, 12 Dec 2015, Sebastian Arcus wrote: > One of my servers received a spam message which SA missed, with the > following report: > > -0.4 AWL AWL: Adjusted score from AWL reputation of > From: address > > After learning the messages as spam into bayes with sa-learn, I get the > following report: > > -6.1 AWL AWL: Adjusted score from AWL reputation of > From: address > > > Luckily the message is now flagged as spam because I have manually > turned up the score on my BAYES_99 and BAYES_999 awhile ago. But what > intrigues me is that now the AWL module gives it a -6.1 score. Why would > AWL now tilt things heavily towards ham, after the message has just been > learned as spam? It seems to be making things worse instead of better. > Unless I am misunderstanding what AWL is supposed to be doing? You are. The name is misleading. AWL is more a score averager than a whitelist. It's intended to allow for the occasionally spammy-looking email from a historically hammy sender (and vice versa). It has nothing to do with training, which only affect Bayes. Messages from that sender will get negative AWL scores for a while until their traffic history becomes more on the "spam" side. OK - that's kind of what I assumed. What I don't understand is why the AWL score changes after the message has been learned into the Bayes database - and by so much? It's not that you trained it into Bayes, but that SA had previously only seen email from that source address that was scored as ham. I'm assuming that's the first message you got from that source address? So their entire AWL history is 100% hammy based on the original FN. You scan the message again, it scores as spammy now for whatever reason; SA checks the AWL history for that sender address and sees "100% hammy" and generates a partially-ofsetting negative score. As that sender's AWL history shifts from "100% hammy" towards "99% spammy" (assuming you ever get mail from that address again) the offsetting score will head towards zero. I don't *think* AWL will generate positive scores for spams from a historically spammy sender (i.e. I think AWL is purely to offset the raw score for anomalies), so you should see AWL scores stop once their history is "mostly spammy". Thank you for that explanation!
Re: Strange behaviour by the AWL module
Sebastian Arcus skrev den 2015-12-12 12:51: Why would AWL now tilt things heavily towards ham, after the message has just been learned as spam? its how AWL works It seems to be making things worse instead of better. Unless I am misunderstanding what AWL is supposed to be doing? what are your settings for AWL plugin ?
Strange behaviour by the AWL module
One of my servers received a spam message which SA missed, with the following report: Content analysis details: (3.1 points, 5.0 required) pts rule name description -- -- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (noreply[at]live.com) 0.0 HTML_MESSAGE BODY: HTML included in message 1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.4993] 2.0 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/) 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines -0.4 AWLAWL: Adjusted score from AWL reputation of From: address After learning the messages as spam into bayes with sa-learn, I get the following report: Content analysis details: (8.8 points, 5.0 required) pts rule name description -- -- 4.9 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (noreply[at]live.com) 0.0 HTML_MESSAGE BODY: HTML included in message 8.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.] 2.0 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/) 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines -6.1 AWLAWL: Adjusted score from AWL reputation of From: address Luckily the message is now flagged as spam because I have manually turned up the score on my BAYES_99 and BAYES_999 awhile ago. But what intrigues me is that now the AWL module gives it a -6.1 score. Why would AWL now tilt things heavily towards ham, after the message has just been learned as spam? It seems to be making things worse instead of better. Unless I am misunderstanding what AWL is supposed to be doing?
Re: Strange behaviour by the AWL module
On 12/12/15 13:06, Benny Pedersen wrote: Sebastian Arcus skrev den 2015-12-12 12:51: Why would AWL now tilt things heavily towards ham, after the message has just been learned as spam? its how AWL works It seems to be making things worse instead of better. Unless I am misunderstanding what AWL is supposed to be doing? what are your settings for AWL plugin ? I guess I must be using the default settings - as I don't think I've configured anything in particular for AWL
Re: Strange behaviour by the AWL module
On Sat, 12 Dec 2015, Sebastian Arcus wrote: One of my servers received a spam message which SA missed, with the following report: -0.4 AWLAWL: Adjusted score from AWL reputation of From: address After learning the messages as spam into bayes with sa-learn, I get the following report: -6.1 AWLAWL: Adjusted score from AWL reputation of From: address Luckily the message is now flagged as spam because I have manually turned up the score on my BAYES_99 and BAYES_999 awhile ago. But what intrigues me is that now the AWL module gives it a -6.1 score. Why would AWL now tilt things heavily towards ham, after the message has just been learned as spam? It seems to be making things worse instead of better. Unless I am misunderstanding what AWL is supposed to be doing? You are. The name is misleading. AWL is more a score averager than a whitelist. It's intended to allow for the occasionally spammy-looking email from a historically hammy sender (and vice versa). It has nothing to do with training, which only affect Bayes. Messages from that sender will get negative AWL scores for a while until their traffic history becomes more on the "spam" side. A lot of people just turn AWL off, or use a newer replacement called txrep. I think there's a way to wipe the AWL history for a given sender; I don't recall what it is off the top of my head, though. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When fascism comes to America, it will be wrapped in "Diversity" and demanding "Safe Spaces." -- Mona Charen --- 3 days until Bill of Rights day
Re: Strange behaviour by the AWL module
On Sat, 12 Dec 2015, Sebastian Arcus wrote: On 12/12/15 18:21, John Hardin wrote: On Sat, 12 Dec 2015, Sebastian Arcus wrote: > One of my servers received a spam message which SA missed, with the > following report: > > -0.4 AWL AWL: Adjusted score from AWL reputation of > From: address > > After learning the messages as spam into bayes with sa-learn, I get the > following report: > > -6.1 AWL AWL: Adjusted score from AWL reputation of > From: address > > > Luckily the message is now flagged as spam because I have manually > turned up the score on my BAYES_99 and BAYES_999 awhile ago. But what > intrigues me is that now the AWL module gives it a -6.1 score. Why would > AWL now tilt things heavily towards ham, after the message has just been > learned as spam? It seems to be making things worse instead of better. > Unless I am misunderstanding what AWL is supposed to be doing? You are. The name is misleading. AWL is more a score averager than a whitelist. It's intended to allow for the occasionally spammy-looking email from a historically hammy sender (and vice versa). It has nothing to do with training, which only affect Bayes. Messages from that sender will get negative AWL scores for a while until their traffic history becomes more on the "spam" side. OK - that's kind of what I assumed. What I don't understand is why the AWL score changes after the message has been learned into the Bayes database - and by so much? It's not that you trained it into Bayes, but that SA had previously only seen email from that source address that was scored as ham. I'm assuming that's the first message you got from that source address? So their entire AWL history is 100% hammy based on the original FN. You scan the message again, it scores as spammy now for whatever reason; SA checks the AWL history for that sender address and sees "100% hammy" and generates a partially-ofsetting negative score. As that sender's AWL history shifts from "100% hammy" towards "99% spammy" (assuming you ever get mail from that address again) the offsetting score will head towards zero. I don't *think* AWL will generate positive scores for spams from a historically spammy sender (i.e. I think AWL is purely to offset the raw score for anomalies), so you should see AWL scores stop once their history is "mostly spammy". -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If you are "fighting for social justice," then you are defining yourself as someone who considers regular old everyday *equal* justice to be something you don't want. -- GOF at TSM --- 3 days until Bill of Rights day
Re: Strange behaviour by the AWL module
On 12/12/15 18:21, John Hardin wrote: On Sat, 12 Dec 2015, Sebastian Arcus wrote: One of my servers received a spam message which SA missed, with the following report: -0.4 AWLAWL: Adjusted score from AWL reputation of From: address After learning the messages as spam into bayes with sa-learn, I get the following report: -6.1 AWLAWL: Adjusted score from AWL reputation of From: address Luckily the message is now flagged as spam because I have manually turned up the score on my BAYES_99 and BAYES_999 awhile ago. But what intrigues me is that now the AWL module gives it a -6.1 score. Why would AWL now tilt things heavily towards ham, after the message has just been learned as spam? It seems to be making things worse instead of better. Unless I am misunderstanding what AWL is supposed to be doing? You are. The name is misleading. AWL is more a score averager than a whitelist. It's intended to allow for the occasionally spammy-looking email from a historically hammy sender (and vice versa). It has nothing to do with training, which only affect Bayes. Messages from that sender will get negative AWL scores for a while until their traffic history becomes more on the "spam" side. OK - that's kind of what I assumed. What I don't understand is why the AWL score changes after the message has been learned into the Bayes database - and by so much?
Re: Strange behaviour by the AWL module
On December 12, 2015 8:33:28 PM Sebastian Arcus <s.ar...@open-t.co.uk> wrote: I guess I must be using the default settings - as I don't think I've configured anything in particular for AWL change default /16 cidr to new default /24 for ipv4, for ipv6 use /64, if you like to track on /32 for ipv4 then each ipv4 wil, have no shared awl scores possible also change defaul awl faktory from 0.5 to 0.25 will reduce how much benefit from previous score if changeing settings, delete awl db
Re: AWL defeating my SPAM classification
On 4/30/15, 12:16 AM, Tom Robinson tom.robin...@motec.com.au wrote: BTW, where can I see the results of my configuration changes? It would be nice to confirm that my changes have rectified the situation. On the server (via SSH or console) use the +trace argument to dig, and then look for lines starting with ';;': postmstr@smtp:~$ dig +trace example.com.multi.uribl.com | grep ';;' ;; global options: +cmd ;; Received 913 bytes from 127.0.0.1#53(127.0.0.1) in 8 ms ;; Received 760 bytes from 199.7.91.13#53(d.root-servers.net) in 48 ms ;; Received 707 bytes from 192.54.112.30#53(h.gtld-servers.net) in 124 ms ;; Received 553 bytes from 54.149.125.143#53(o.icudp.com) in 74 ms ;; Received 206 bytes from 52.68.34.21#53(gg.uribl.com) in 147 ms So you can see that my mail server is querying its local DNS resolver, which is querying the root servers and then working its way down to the appropriate uribl.com server. In your case your actual IPs will be different, but the pattern should still hold. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com
Re: AWL defeating my SPAM classification
On 30/04/15 09:56, Marieke Janssen wrote:
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: world-plants.ru]
You are blocked, This probably means you are using either public
nameservers or do too much queries. Running a dedicated nameserver on
localhost (dnsmasq,bind,unbound,whatever) can solve this (and besides
that, it speeds things up). If you fix this chances are you get scores
high enough to compensate/correct AWL.
On 30.04.15 12:10, Tom Robinson wrote:
I have the mail server and a separate name server set up in a DMZ. The name
server already runs as a caching nameserver but does forwarding to our ISP.
I'm not sure how the non-caching works to eliminate this problem. Is it
correct that currently, because I'm forwarding, the DNSBL query is denied
because the DNSBL server thinks I'm the ISP making a query? Sorry, I'm not
understanding the mechanism.
when you are forwarding, your nameserver asks forwarders for the data.
The DNSBL server apparently block your forwarders because they make too many
queries.
If bind is going to forward lookups for DNSBL servers to a null list, will
the cache have a record to look up at all?
e.g.
/* Disable forwarding for DNSBL queries */
zone multi.uribl.com { type forward; forward first; forwarders {}; };
zone dnsbl.sorbs.net { type forward; forward first; forwarders {}; };
Does this rely on the caching namesever having already looked up and cached
the DNSBL servers?
it will iterate the usual way without forwarders - from root servers etc.
BTW, I do have rbldnsd set up on the caching nameserver in my DMZ. Is that
useful in any way to resolve this issue?
you can set up forwarding to the rbldnsd server, if it contains proper
zones.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
Re: AWL defeating my SPAM classification
On 4/30/15, 12:16 AM, Tom Robinson tom.robin...@motec.com.au wrote: BTW, where can I see the results of my configuration changes? It would be nice to confirm that my changes have rectified the situation. On 30.04.15 01:38, Dave Pooser wrote: On the server (via SSH or console) use the +trace argument to dig, and then look for lines starting with ';;': postmstr@smtp:~$ dig +trace example.com.multi.uribl.com | grep ';;' ;; global options: +cmd ;; Received 913 bytes from 127.0.0.1#53(127.0.0.1) in 8 ms ;; Received 760 bytes from 199.7.91.13#53(d.root-servers.net) in 48 ms ;; Received 707 bytes from 192.54.112.30#53(h.gtld-servers.net) in 124 ms ;; Received 553 bytes from 54.149.125.143#53(o.icudp.com) in 74 ms ;; Received 206 bytes from 52.68.34.21#53(gg.uribl.com) in 147 ms So you can see that my mail server is querying its local DNS resolver, which is querying the root servers and then working its way down to the appropriate uribl.com server. In your case your actual IPs will be different, but the pattern should still hold. no, it's the dig command that does the trace, not the nameserver. This says nothing about your nameserver configuration, and it can't since nameserver does not provide that info. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Re: AWL defeating my SPAM classification
On the server (via SSH or console) use the +trace argument to dig, and then look for lines starting with ';;': postmstr@smtp:~$ dig +trace example.com.multi.uribl.com | grep ';;' ;; global options: +cmd ;; Received 913 bytes from 127.0.0.1#53(127.0.0.1) in 8 ms ;; Received 760 bytes from 199.7.91.13#53(d.root-servers.net) in 48 ms ;; Received 707 bytes from 192.54.112.30#53(h.gtld-servers.net) in 124 ms ;; Received 553 bytes from 54.149.125.143#53(o.icudp.com) in 74 ms ;; Received 206 bytes from 52.68.34.21#53(gg.uribl.com) in 147 ms So you can see that my mail server is querying its local DNS resolver, which is querying the root servers and then working its way down to the appropriate uribl.com server. In your case your actual IPs will be different, but the pattern should still hold. dig +trace always does a full root server lookup so it's not showing the same path that the /etc/resolv.conf will take. He will have to run a regular query and see if he gets back 127.0.0.1. If so, then the current resolv.conf path is still being blocked. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com
Re: AWL defeating my SPAM classification
Am 30.04.2015 um 12:55 schrieb Matus UHLAR - fantomas: On 4/30/15, 12:16 AM, Tom Robinson tom.robin...@motec.com.au wrote: BTW, where can I see the results of my configuration changes? It would be nice to confirm that my changes have rectified the situation. On 30.04.15 01:38, Dave Pooser wrote: On the server (via SSH or console) use the +trace argument to dig, and then look for lines starting with ';;': postmstr@smtp:~$ dig +trace example.com.multi.uribl.com | grep ';;' ;; global options: +cmd ;; Received 913 bytes from 127.0.0.1#53(127.0.0.1) in 8 ms ;; Received 760 bytes from 199.7.91.13#53(d.root-servers.net) in 48 ms ;; Received 707 bytes from 192.54.112.30#53(h.gtld-servers.net) in 124 ms ;; Received 553 bytes from 54.149.125.143#53(o.icudp.com) in 74 ms ;; Received 206 bytes from 52.68.34.21#53(gg.uribl.com) in 147 ms So you can see that my mail server is querying its local DNS resolver, which is querying the root servers and then working its way down to the appropriate uribl.com server. In your case your actual IPs will be different, but the pattern should still hold. no, it's the dig command that does the trace, not the nameserver. This says nothing about your nameserver configuration, and it can't since nameserver does not provide that info correct because the nameserver of the machine below *for sure* does not recursion but is a forwarder to a local cache which don't appear [harry@srv-rhsoft:~]$ dig +trace example.com.multi.uribl.com | grep ';;' ;; global options: +cmd ;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms ;; Received 751 bytes from 202.12.27.33#53(m.root-servers.net) in 43 ms ;; Received 698 bytes from 192.41.162.30#53(l.gtld-servers.net) in 186 ms ;; Received 544 bytes from 94.228.131.217#53(p.icudp.net) in 32 ms ;; Received 90 bytes from 184.73.199.129#53(ee.uribl.com) in 173 ms signature.asc Description: OpenPGP digital signature
Re: AWL defeating my SPAM classification
Matus UHLAR - fantomas skrev den 2015-04-30 12:55: no, it's the dig command that does the trace, not the nameserver. This says nothing about your nameserver configuration, and it can't since nameserver does not provide that info. dig respects resolv.conf with nameserver 127.0.0.1 try it :) dig @8.8.8.8 +trace example.org
Re: AWL defeating my SPAM classification
On 4/30/15, 5:55 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: no, it's the dig command that does the trace, not the nameserver. This says nothing about your nameserver configuration, and it can't since nameserver does not provide that info. I stand corrected-- I had tested on another machine that used a forwarding server and had seen different results that did NOT include the root servers (it queried the local router, then the Verizon forwarder, then uribl directly) -- but that was probably either because Verizon does DNS hijacking or a difference between the dig implementations on MacOS and Ubuntu. Sorry for the noise! slinks off -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com
Re: AWL defeating my SPAM classification
Am 30.04.2015 um 17:06 schrieb Benny Pedersen: Matus UHLAR - fantomas skrev den 2015-04-30 12:55: no, it's the dig command that does the trace, not the nameserver. This says nothing about your nameserver configuration, and it can't since nameserver does not provide that info. dig respects resolv.conf with nameserver 127.0.0.1 try it :) dig @8.8.8.8 +trace example.org that's bullshit - it just asks there for the root-ns how does that help? you should try to understand the context where is my forwarder named is using in the trace output? nowhere! and so *how* would that help to answer the question if the nameserver does forwarding or recursion? it don't - period [harry@srv-rhsoft:~]$ dig +trace example.org | grep 10.0.0.6 [harry@srv-rhsoft:~]$ [harry@srv-rhsoft:~]$ dig +trace example.org ; DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 +trace example.org ;; global options: +cmd . 2825IN NS l.root-servers.net. . 2825IN NS m.root-servers.net. . 2825IN NS j.root-servers.net. . 2825IN NS b.root-servers.net. . 2825IN NS f.root-servers.net. . 2825IN NS h.root-servers.net. . 2825IN NS d.root-servers.net. . 2825IN NS i.root-servers.net. . 2825IN NS c.root-servers.net. . 2825IN NS k.root-servers.net. . 2825IN NS a.root-servers.net. . 2825IN NS e.root-servers.net. . 2825IN NS g.root-servers.net. ;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms org.172800 IN NS d0.org.afilias-nst.org. org.172800 IN NS a2.org.afilias-nst.info. org.172800 IN NS b2.org.afilias-nst.org. org.172800 IN NS b0.org.afilias-nst.org. org.172800 IN NS a0.org.afilias-nst.info. org.172800 IN NS c0.org.afilias-nst.info. org.86400 IN DS 21366 7 1 E6C1716CFB6BDC84E84CE1AB5510DAC69173B5B2 org.86400 IN DS 21366 7 2 96EEB2FFD9B00CD4694E78278B5EFDAB0A80446567B69F634DA078F0 D90F01BA org.86400 IN RRSIG DS 8 1 86400 2015051005 2015043004 48613 . CCXS9dvxUkQCVXzNYBnGgI4+9E0pRURKT5Bp7gBhTO28rQsoP64lbCxU /0R13vcKBxS1ANPZnOreayAjlNCrL4ME2/09pKaBY/2OjaGc61+11W1g +pggqcoxLOEdsp3Pg9oWVVDYNAmh3akVIMJIOjRGy3q3I7ntBhfjh0bf dZE= ;; Received 685 bytes from 192.228.79.201#53(b.root-servers.net) in 187 ms example.org.86400 IN NS a.iana-servers.net. example.org.86400 IN NS b.iana-servers.net. example.org.86400 IN DS 31589 8 1 7B8370002875DDA781390A8E586C31493847D9BC example.org.86400 IN DS 31589 8 2 3FDC4C11FA3AD3535EA8C1CE3EAF7BFA5CA9AE8A834D98FEE10085CF AEB625AA example.org.86400 IN RRSIG DS 7 2 86400 20150516154903 20150425144903 3213 org. F4xyrnEiyAh73FDVDCksE2gwPci27NyrDBOvAheul5LnaMyCg4PrWWly +vGTYbTv6A/OSS3Hc+1XdzvG39sN2fdGSBEXvGib1MVq0upC5dFA/RSu sB3CauiWON2zxIptGrDnGOS0DenYSzPP8wDghMeykr+k5FT6RuuDVAFr Uvg= ;; Received 335 bytes from 199.249.120.1#53(b2.org.afilias-nst.org) in 38 ms example.org.86400 IN A 93.184.216.34 example.org.86400 IN RRSIG A 8 2 86400 20150507130447 20150430112531 23014 example.org. o95kdPQLidVQavRj2zcvtJPzra2mQ4VdWPlnnGUkd+/Wvv9/AT7TRArc vjcdXhH7s9X0J6Jray7VA3SvqvEXixwqSbOUjS3WNXZ70pR0hz+9hAPl /t2uIMDpIUFWSeZkBBU2Q+nPZ6z9zCi6f7FpRNFaV4CXN9gTrU/g9mXb ZiI= example.org.172800 IN NS a.iana-servers.net. example.org.172800 IN NS b.iana-servers.net. example.org.172800 IN RRSIG NS 8 2 172800 20150507230256 20150430112531 23014 example.org. RPb4E38QRr2myhjs88BsIE3RhApL4TgJv+7rEgaMvxUYOs6g8nasKO2N NbuJMRvJaTSEpQHlq6YpEMmhLgXKBk+szv964RAwj/zZOjgEh816ORyZ GdA1cnvtHp7vFcRnQgGRsPTWFrYKpa22zimfi87fK/OBSPjONf4pGk/s TEc= ;; Received 534 bytes from 199.43.133.53#53(b.iana-servers.net) in 174 ms signature.asc Description: OpenPGP digital signature
Re: AWL defeating my SPAM classification
Tom Robinson skrev den 2015-04-30 04:14: Actually, looking for this config I can't seem to find it. My spamassassin is linked in with qmail using qmail-scanner-queue.pl. That script looks in /home/qscand/.spamassassin/user_prefs but I also have configs in /etc/mail/spamassassin. What am I looking for exactly? dig +trace apache.org dig +trace google.com did you see route on how dns treverse nameservers ? when you use forwards in the chain it ignores this, and thus others use your free limit on blacklists, and it will in some time begin to give no results, leading to see diff problems in awl since its recorded before with a diff spam score on the same ips to solve it completely remove ALL forwards in your nameserver, and ONLY use forward pr zone as needed, thus do not use forward in options section in named.conf with is global fault :=) i have seen domains that blocked my ips in there acl for being for them a dynamic ip, all thay got back was that it was for them impossible to send more mail until that was resolved my ips was ripe listed in seperate, if admins had checked this it was clearly not a dynamic ip, and problem had not arrised for them in resolv.conf use nameserver 127.0.0.1, and configure your dns server to only listen on 127.0.0.1 or if needed lan interfaces, no listning on public ips
Re: AWL defeating my SPAM classification
Tom Robinson skrev den 2015-04-30 04:35: Finally that makes sense. I will add the forwarding in as per the documentation. remove forwarding is safe, only use forward dns on zones you self build or have rsync access to
AWL defeating my SPAM classification
Hi, Below is the source from an email that is clearly spam but the AWL is -1.3 defeating the spam classification. How can I best adjust the AWL to get this classified as SPAM. Kind regards, Tom -- Tom Robinson IT Manager/System Administrator MoTeC Pty Ltd 121 Merrindale Drive Croydon South 3136 Victoria Australia T: +61 3 9761 5050 F: +61 3 9761 5051 E: tom.robin...@motec.com.au Return-Path: og...@bonnieaugostino.com Delivered-To: t...@motec.com.au Received: (qmail 2934 invoked by alias); 29 Apr 2015 23:02:24 - Delivered-To: fo...@motec.com.au Received: (qmail 2923 invoked by uid 187); 29 Apr 2015 23:02:24 - Received: from 78.188.129.11.dynamic.ttnet.com.tr by scion.motec.com.au (envelope-from og...@bonnieaugostino.com, uid 181) with qmail-scanner-2.08st (clamdscan: 0.97.8/20394. spamassassin: 3.3.1. perlscan: 2.08st. Clear:RC:0(78.188.129.11):SA:0(4.6/5.0):. Processed in 14.230659 secs); 29 Apr 2015 23:02:24 - X-Spam-Status: No, hits=4.6 required=5.0 X-Spam-Level: X-Spam-Report: SA TESTS 0.7 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [78.188.129.11 listed in zen.spamhaus.org] 2.9 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP) 0.2 CK_HELO_GENERICRelay used name indicative of a Dynamic Pool or Generic rPTR 0.0 TVD_RCVD_IPMessage was received from an IP address 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT [78.188.129.11 listed in bb.barracudacentral.org] 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: world-plants.ru] 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS -1.3 AWLAWL: Adjusted score from AWL reputation of From: address Received: from 78.188.129.11.dynamic.ttnet.com.tr (78.188.129.11) by scion.motec.com.au with SMTP; 29 Apr 2015 23:02:09 - Message-ID: fn4sakwr.2943...@bonnieaugostino.com Date: Thu, 30 Apr 2015 01:48:15 +0200 From: American Express fr...@americanexpress.com User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: emailpete.swin...@motec.com.au Subject: Irregular card activity Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Irregular check card activity American Express Dear Customer, We detected irregular card activity on your American Express Check Card on 29 April, 2015. As the Primary Contact, you must verify your credit card activity before you can continue using your card, and upon verification, we will remove any restrictions placed on your card. To review your account as soon as possible please click on the link below. http://world-plants.ru/foldername/index.html Thank you for your Card Membership. - American Express Customer Care Fraud Department: Erica Bermudez Level III Security Officer signature.asc Description: OpenPGP digital signature
Re: AWL defeating my SPAM classification
Tom Robinson skrev den 2015-04-30 01:38: 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block did you read the url here ? well if yes, show your AWL config for the AWL plugin
RE: AWL defeating my SPAM classification
Hi, Besides your awl problem, you have other problems. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: world-plants.ru] You are blocked, This probably means you are using either public nameservers or do too much queries. Running a dedicated nameserver on localhost (dnsmasq,bind,unbound,whatever) can solve this (and besides that, it speeds things up). If you fix this chances are you get scores high enough to compensate/correct AWL. In SpamAssassin 3.4.1 there is a TxRep module, maybe you'll find it interesting. It decayes the learned scores over time (and other neat stuff). You can migrate existing AWL data to TxRep. (make sure to backup it first so you can go back). /MJ
Re: AWL defeating my SPAM classification
On 30/04/15 09:56, Marieke Janssen wrote:
Hi,
Besides your awl problem, you have other problems.
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: world-plants.ru]
You are blocked, This probably means you are using either public nameservers
or do too much queries. Running a dedicated nameserver on localhost
(dnsmasq,bind,unbound,whatever) can solve this (and besides that, it speeds
things up).
If you fix this chances are you get scores high enough to compensate/correct
AWL.
In SpamAssassin 3.4.1 there is a TxRep module, maybe you'll find it
interesting. It decayes the learned scores over time (and other neat stuff).
You can migrate existing AWL data to TxRep. (make sure to backup it first so
you can go back).
Thanks Marieke,
I have the mail server and a separate name server set up in a DMZ. The name
server already runs as a
caching nameserver but does forwarding to our ISP. I'm not sure how the
non-caching works to
eliminate this problem. Is it correct that currently, because I'm forwarding,
the DNSBL query is
denied because the DNSBL server thinks I'm the ISP making a query? Sorry, I'm
not understanding the
mechanism.
If bind is going to forward lookups for DNSBL servers to a null list, will the
cache have a record
to look up at all?
e.g.
/* Disable forwarding for DNSBL queries */
zone multi.uribl.com { type forward; forward first; forwarders {}; };
zone dnsbl.sorbs.net { type forward; forward first; forwarders {}; };
Does this rely on the caching namesever having already looked up and cached the
DNSBL servers?
BTW, I do have rbldnsd set up on the caching nameserver in my DMZ. Is that
useful in any way to
resolve this issue?
signature.asc
Description: OpenPGP digital signature
Re: AWL defeating my SPAM classification
On 30/04/15 12:15, Kevin A. McGrail wrote: On 4/29/2015 10:10 PM, Tom Robinson wrote: I have the mail server and a separate name server set up in a DMZ. The name server already runs as a caching nameserver but does forwarding to our ISP. Hi Tom, Your ISP is doing too many queries to the services exceeding free limits. You are being lumped in with your ISP. Run your own caching DNS server without forwarding but instead going to the root servers so you query on your own. Finally that makes sense. I will add the forwarding in as per the documentation. signature.asc Description: OpenPGP digital signature
Re: AWL defeating my SPAM classification
Tom Robinson IT Manager/System Administrator MoTeC Pty Ltd 121 Merrindale Drive Croydon South 3136 Victoria Australia T: +61 3 9761 5050 F: +61 3 9761 5051 E: tom.robin...@motec.com.au On 30/04/15 10:10, Benny Pedersen wrote: Tom Robinson skrev den 2015-04-30 01:38: 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block did you read the url here ? well if yes, show your AWL config for the AWL plugin Actually, looking for this config I can't seem to find it. My spamassassin is linked in with qmail using qmail-scanner-queue.pl. That script looks in /home/qscand/.spamassassin/user_prefs but I also have configs in /etc/mail/spamassassin. What am I looking for exactly? signature.asc Description: OpenPGP digital signature
Re: AWL defeating my SPAM classification
On 4/29/2015 10:10 PM, Tom Robinson wrote: I have the mail server and a separate name server set up in a DMZ. The name server already runs as a caching nameserver but does forwarding to our ISP. Hi Tom, Your ISP is doing too many queries to the services exceeding free limits. You are being lumped in with your ISP. Run your own caching DNS server without forwarding but instead going to the root servers so you query on your own. Regards, KAM
Re: AWL defeating my SPAM classification
Am 30.04.2015 um 07:16 schrieb Tom Robinson: On 30/04/15 15:09, Reindl Harald wrote: Am 30.04.2015 um 04:10 schrieb Tom Robinson: Is it correct that currently, because I'm forwarding, the DNSBL query is denied because the DNSBL server thinks I'm the ISP making a query? Sorry, I'm not understanding the mechanism it is the ISP making the query for you and thousands of other of his customers - you are making 5 queries, your left and right meighbour too - oops 150 queries from your ISP's nameserver which exceeds teh limit for a single IP there is no mechanism - when you don't make your queries at your own the forwarder does and the rest is trivial math Got it. Thanks Reindl. BTW, where can I see the results of my configuration changes? It would be nice to confirm that my changes have rectified the situation when there is no forward in your config it does recursion - or in other words: named before it get crippeled down to a forwarder does recursion and caching out of the box signature.asc Description: OpenPGP digital signature
Re: AWL defeating my SPAM classification
Am 30.04.2015 um 04:10 schrieb Tom Robinson: I have the mail server and a separate name server set up in a DMZ. The name server already runs as a caching nameserver but does forwarding to our ISP don't do that when you are running mailservers or for whateverer reason rely on trustable nameservers - that's it signature.asc Description: OpenPGP digital signature
Re: AWL defeating my SPAM classification
Am 30.04.2015 um 04:10 schrieb Tom Robinson: Is it correct that currently, because I'm forwarding, the DNSBL query is denied because the DNSBL server thinks I'm the ISP making a query? Sorry, I'm not understanding the mechanism it is the ISP making the query for you and thousands of other of his customers - you are making 5 queries, your left and right meighbour too - oops 150 queries from your ISP's nameserver which exceeds teh limit for a single IP there is no mechanism - when you don't make your queries at your own the forwarder does and the rest is trivial math signature.asc Description: OpenPGP digital signature
Re: AWL defeating my SPAM classification
On 30/04/15 15:09, Reindl Harald wrote: Am 30.04.2015 um 04:10 schrieb Tom Robinson: Is it correct that currently, because I'm forwarding, the DNSBL query is denied because the DNSBL server thinks I'm the ISP making a query? Sorry, I'm not understanding the mechanism it is the ISP making the query for you and thousands of other of his customers - you are making 5 queries, your left and right meighbour too - oops 150 queries from your ISP's nameserver which exceeds teh limit for a single IP there is no mechanism - when you don't make your queries at your own the forwarder does and the rest is trivial math Got it. Thanks Reindl. BTW, where can I see the results of my configuration changes? It would be nice to confirm that my changes have rectified the situation. signature.asc Description: OpenPGP digital signature
Re: Awl on Redis
Ok Thanks for the answer :) Marco On Fri, 17 Apr 2015 07:58:15 -0400 Kevin A. McGrail kmcgr...@pccc.com wrote: On 4/17/2015 6:46 AM, ma...@nucleus.it wrote: Hi to all, a saw that from spamassassin 3.4 Bayes can be stored on a Redis database. Is it possible also for Awl (auto_whitelist) ? Or maybe in the future ? We are currently looking at TxRep as a replacement for AWL but no, neither of them lends themselves to a Redis backend. Perhaps someone smarter than I can figure out how to do that! Regards, KAM signature.asc Description: PGP signature
Re: Awl on Redis
On 4/17/2015 7:58 AM, Kevin A. McGrail wrote: On 4/17/2015 6:46 AM, ma...@nucleus.it wrote: Hi to all, a saw that from spamassassin 3.4 Bayes can be stored on a Redis database. Is it possible also for Awl (auto_whitelist) ? Or maybe in the future ? We are currently looking at TxRep as a replacement for AWL but no, neither of them lends themselves to a Redis backend. Perhaps someone smarter than I can figure out how to do that! Regards, KAM Or you could be that smarter someone! Submit a patch and it might be accepted. We're always looking for contributors.
