Re: Help With Configuration Issue

2006-06-11 Thread L. Mark Stone 

Quoting Bill Randle <[EMAIL PROTECTED]>:


On Sun, 2006-06-11 at 10:08 -0400, L. Mark Stone wrote:

Started noticing the system flagging spam emails but not deleting them:

[cut]

Jun 11 07:37:18 pinot amavis[10738]: (10738-04) spam_scan: hits=24.677
tests=BAYES_99,HTML_50_60,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,HTML_TEXT_AFTER_BODY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,TW_EH,TW_NH,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL
Jun 11 07:37:18 pinot amavis[10738]: (10738-04) SPAM,
<[EMAIL PROTECTED]> -> , Yes,
hits=24.7 tag1=-999.0 tag2=4.0 kill=4.0 tests=BAYES_99, HTML_50_60,
HTML_IMAGE_ONLY_20, HTML_MESSAGE, HTML_SHORT_LINK_IMG_3,
HTML_TEXT_AFTER_BODY, RAZOR2_CF_RANGE_51_100,
RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CF_RANGE_E8_51_100, RAZOR2_CHECK,
TW_EH, TW_NH, URIBL_JP_SURBL, URIBL_OB_SURBL, URIBL_SBL, URIBL_WS_SURBL
Jun 11 07:37:18 pinot amavis[10738]: (10738-04) FWD via SMTP:
[127.0.0.1]:10025 <[EMAIL PROTECTED]> ->


System is SuSE Linux Enterprise Server9 with spamassassin 3.1.0 and amavis

Spamassassin lints OK, and here are relevant portions of
/etc/amavisd.conf (probably may wordwrap).

[cut]


Given the configuration, I would have expected the message to have
been discarded.  What did I miss?


By any chance did you accidentally set $final_spam_destiny to D_PASS in
the config file? There's a line that does this, but it's commented out
by default.

-Bill


Bill,

We did have $final_spam_destiny to D_PASS but have now changed this to  
D_DISCARD and increased the discard level from 4.0 to 5.0.  Not as  
high as you suggested, but since I have been grepping the mail logs,  
we have had no false positives.


Thanks for that great catch; that will save me from doing some regexp  
work in Postfix to combat backscatter.


All the best,
Mark


--
_
A Message From...  L. Mark Stone

Reliable Networks of Maine, LLC

"We manage your network so you can manage your business"

477 Congress Street
Portland, ME 04101
Tel: (207) 772-5678
Web: http://www.rnome.com

This email was sent from Reliable Networks of Maine LLC.
It may contain information that is privileged and confidential.
If you suspect that you were not intended to receive it, please
delete it and notify us as soon as possible. Thank you.


binuoZ1SCE6lQ.bin
Description: PGP Public Key

Re: Help With Configuration Issue

2006-06-11 Thread Gary V 
Yes, discarding is not only controlled by $sa_kill_level_deflt by also by 
$final_spam_desiny and whether a quarantine is configured or not, and if 
quarantine is configured, then also $sa_quarantine_cutoff_level. This is 
not a SpamAssassin question, it is an amavisd-new question.


Having said that, if a larger than normal percentage of spam scores at 4.0 
or below, and that is why you want to discard at a score of 4.0, then that 
would be a concern and that *is* a SpamAssassin question.


Gary V

_
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

Re: Help With Configuration Issue

2006-06-11 Thread Gary V 

> Given the configuration, I would have expected the message to have
> been discarded.  What did I miss?

By any chance did you accidentally set $final_spam_destiny to D_PASS in
the config file? There's a line that does this, but it's commented out
by default.

-Bill


Yes, discarding is not only controlled by $sa_kill_level_deflt by also by 
$final_spam_desiny and whether a quarantine is configured or not, and if 
quarantine is configured, then also $sa_quarantine_cutoff_level. This is not 
a SpamAssassin question, it is an amavisd-new question.


This may help:
http://www200.pair.com/mecham/spam/amavisd-settings.html

BTW, if you are really going to discard mail that scores 4.0 or higher, you 
will loose legitimate mail. If anything, I would suggest accepting mail up 
to a score of somewhere around 7.0 and marking mail between 4.0 and 7.0 as 
***SPAM*** on the Subject: line.


Maybe something like this:

$final_spam_destiny = D_DISCARD;
$spam_quarantine_to  = 'spam-quarantine';
$sa_tag_level_deflt = -999;
$sa_tag2_level_deflt = 4.0;
$sa_kill_level_deflt = 7.0;
$sa_spam_subject_tag = '***SPAM*** ';
$sa_quarantine_cutoff_level = 14;

Then set up a cron job to delete items in the quarantine that are older than 
60 days or something.


If by 'discard' you mean quarantine, then it is still not a good idea to 
quarantine at such a low level. You are more likely to find ham in the 
quarantine which means you will spend more time searching for items in the 
quarantine which ends up being counterproductive.


My 0.02

Gary V

_
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

Re: Help With Configuration Issue

2006-06-11 Thread Bill Randle 
On Sun, 2006-06-11 at 10:08 -0400, L. Mark Stone wrote:
> Started noticing the system flagging spam emails but not deleting them:
[cut]
> Jun 11 07:37:18 pinot amavis[10738]: (10738-04) spam_scan: hits=24.677  
> tests=BAYES_99,HTML_50_60,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,HTML_TEXT_AFTER_BODY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,TW_EH,TW_NH,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL
> Jun 11 07:37:18 pinot amavis[10738]: (10738-04) SPAM,  
> <[EMAIL PROTECTED]> -> , Yes,  
> hits=24.7 tag1=-999.0 tag2=4.0 kill=4.0 tests=BAYES_99, HTML_50_60,  
> HTML_IMAGE_ONLY_20, HTML_MESSAGE, HTML_SHORT_LINK_IMG_3,  
> HTML_TEXT_AFTER_BODY, RAZOR2_CF_RANGE_51_100,  
> RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CF_RANGE_E8_51_100, RAZOR2_CHECK,  
> TW_EH, TW_NH, URIBL_JP_SURBL, URIBL_OB_SURBL, URIBL_SBL, URIBL_WS_SURBL
> Jun 11 07:37:18 pinot amavis[10738]: (10738-04) FWD via SMTP:  
> [127.0.0.1]:10025 <[EMAIL PROTECTED]> ->  
> 
> 
> System is SuSE Linux Enterprise Server9 with spamassassin 3.1.0 and amavis
> 
> Spamassassin lints OK, and here are relevant portions of  
> /etc/amavisd.conf (probably may wordwrap).
[cut]

> Given the configuration, I would have expected the message to have  
> been discarded.  What did I miss?

By any chance did you accidentally set $final_spam_destiny to D_PASS in
the config file? There's a line that does this, but it's commented out
by default.

-Bill

Help With Configuration Issue

2006-06-11 Thread L. Mark Stone 

Started noticing the system flagging spam emails but not deleting them:

Jun 11 07:37:13 pinot postfix/smtpd[8568]: connect from unknown[160.79.37.83]
Jun 11 07:37:14 pinot postfix/smtpd[8568]: 9F6CBE88001:  
client=unknown[160.79.37.83]
Jun 11 07:37:16 pinot postfix/cleanup[11935]: 9F6CBE88001:  
message-id=<[EMAIL PROTECTED]>
Jun 11 07:37:16 pinot postfix/qmgr[7184]: 9F6CBE88001:  
from=<[EMAIL PROTECTED]>, size=4038, nrcpt=1 (queue active)
Jun 11 07:37:16 pinot amavis[10738]: (10738-04) ESMTP::10024  
/var/spool/amavis/tmp/amavis-20060611T044830-10738:  
<[EMAIL PROTECTED]> ->  Received:  
SIZE=4038 BODY=8BITMIME from pinot.rnome.com ([127.0.0.1]) by  
localhost (pinot [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id  
10738-04 for ; Sun, 11 Jun 2006 07:37:16  
-0400 (EDT)
Jun 11 07:37:16 pinot amavis[10738]: (10738-04) Checking:  
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>
Jun 11 07:37:18 pinot amavis[10738]: (10738-04) spam_scan: hits=24.677  
tests=BAYES_99,HTML_50_60,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,HTML_TEXT_AFTER_BODY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,TW_EH,TW_NH,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL
Jun 11 07:37:18 pinot amavis[10738]: (10738-04) SPAM,  
<[EMAIL PROTECTED]> -> , Yes,  
hits=24.7 tag1=-999.0 tag2=4.0 kill=4.0 tests=BAYES_99, HTML_50_60,  
HTML_IMAGE_ONLY_20, HTML_MESSAGE, HTML_SHORT_LINK_IMG_3,  
HTML_TEXT_AFTER_BODY, RAZOR2_CF_RANGE_51_100,  
RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CF_RANGE_E8_51_100, RAZOR2_CHECK,  
TW_EH, TW_NH, URIBL_JP_SURBL, URIBL_OB_SURBL, URIBL_SBL, URIBL_WS_SURBL
Jun 11 07:37:18 pinot amavis[10738]: (10738-04) FWD via SMTP:  
[127.0.0.1]:10025 <[EMAIL PROTECTED]> ->  



System is SuSE Linux Enterprise Server9 with spamassassin 3.1.0 and amavis

Spamassassin lints OK, and here are relevant portions of  
/etc/amavisd.conf (probably may wordwrap).


$sa_tag_level_deflt  = -999.0; # add spam info headers if at, or above  
that level

$sa_tag2_level_deflt = 4.0;
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
# at or above that level: bounce/reject/drop,
# quarantine, and adding mail address extension
$sa_dsn_cutoff_level = 6.5; # spam level beyond which a DSN is not sent,
# effectively turning D_BOUNCE into D_DISCARD;
# undef disables this feature and is a default;

$sa_spam_subject_tag = '***SPAM*** ';   # (defaults to undef, disabled)
 # (only seen when spam is not to be rejected
 # and recipient is in local_domains*)

Given the configuration, I would have expected the message to have  
been discarded.  What did I miss?


Thanks,
Mark


--
_
A Message From...  L. Mark Stone

Reliable Networks of Maine, LLC

"We manage your network so you can manage your business"

477 Congress Street
Portland, ME 04101
Tel: (207) 772-5678
Web: http://www.rnome.com

This email was sent from Reliable Networks of Maine LLC.
It may contain information that is privileged and confidential.
If you suspect that you were not intended to receive it, please
delete it and notify us as soon as possible. Thank you.


bindklhQDFNd4.bin
Description: PGP Public Key