Re: Irregular Test Reports in SA?
On 31 Mar 2015, at 14:43, Kevin A. McGrail wrote: But overall, it looks like lunarpages is exceeding some of the RBL limits which is immediately going to cause issues. And to be blunt: that does qualify as shoddy in a commercial provider: amateurish unethical. It's one thing for a hobbyist to accidentally hit the rate limits by using free shared resolvers like Google's or OpenDNS, it is an entirely different matter for a supposedly professional hosting operation to behave as leeches on services that honest businesses pay to keep running.
Re: Irregular Test Reports in SA?
On 3/30/2015 10:12 AM, grhoderick wrote: First, apologies in advance, I know this list is for seasoned users. I'm a consumer—not an administrator by any means—but posting here in hopes that the SA focus of the list will provide a clear answer. It's not just for seasoned users but not sure we can really help you unless you can configure or at least tweak your implementation of SA. Whether you can or cannot is still unclear. If I paste these same Spam mails into an online check service, they trigger a handful of tests that my web host's SA install seems to ignore or miss. The difference is steep, with messages scoring a range of 4 to 14 points higher, which correctly equates to the majority of the spam. These tests are comprised mostly of checks against trustworthy blocklists. RBLs are reactive so this could be a sign that the RBL has caught up in the time between the tests. Where I'm confused: Is this an obvious sign that the web host isn't updating SA appropriately, or is it normal the test reports don't match? Am I misunderstanding the scoring system? We need more headers to see. What version of SpamAssassin does the headers show? What rules does it show it hits when it does hit? From what you did post, the most important issue I see is that URIBL_BLOCKED is triggered which implies setups that are exceeding free volume limits on RBLs and/or not using a local caching nameserver. After months of back and forth with the web host, their recommendation has been to add rules and do more intensive SA learning. But the way I understand it, no amount of tweaking symbolic test scores or adding rules can make up for not running the tests to begin with. Without having root access to the SA install, can I even influence which tests are applied? If not, my only option is to leave my host for a service that keeps their SA install updated. Your insight here will help me confidently make that decision. That is a significant recommendation to consider. What ISP are you using? regards, KAM
Re: Irregular Test Reports in SA?
On 3/31/2015 2:21 PM, grhoderick wrote: All — thanks so much for your time. Regarding your questions, I'll do my best to answer given my inexperience with SA. Ahh, so you are using lunarpages. I've been working with Lunarpages and they use cpanel. Overall, I think that type of installation is not very tweakable. And I've been working with their techs a bit in the past few weeks and they have whitelisted our servers for doing some outsourced anti-spam. So as a completely off-topic solution, I'm looking for guinea pigs. If you are interested, email me off-list. But overall, it looks like lunarpages is exceeding some of the RBL limits which is immediately going to cause issues. regards, KAM
Re: Irregular Test Reports in SA?
All — thanks so much for your time. Regarding your questions, I'll do my best to answer given my inexperience with SA. Kevin A. McGrail wrote We need more headers to see. What version of SpamAssassin does the headers show? What rules does it show it hits when it does hit? Here's raw source of another example I received today, although I don't see an SA version in there. I also again included the contrasting output from an online check. The difference is 10 points. http://pastebin.com/HbtC6ETu How is Bayes being trained? I'm a stranger to Bayes principles, so I honestly don't know. Here's what the ISP provides me in terms of configuration: 1) A basic cPanel interface labeled SA configuration which is made up of form fields that add white list and black list entries and fields for reassigning test scores. http://i.imgur.com/5IrbCz4.png 2) Access to a few raw files, which contain Bayes info and user prefs, which I'm assuming coincide with the above. http://i.imgur.com/ZUagJzp.png That's the extent to which I can tweak SA. Anything beyond requires working with the ISP. They've mentioned editing the user pref file per the following: /Because of that you can train further Spam Assassin to catch more spam and to performed more test if required. You can edit this configuration file to do the changes: /home/xxx/.spamassassin/user_prefs Different scores can be used, alongside further tests etc. to be carried out. The following are increased scores for tests that you may consider to be spam catching: score RCVD_IN_BL_SPAMCOP_NET2.5 score RCVD_IN_SBL 2.0 score URIBL_SBL 1.5 score URIBL_OB_SURBL2.5 score RAZOR2_CF_RANGE_E8_51_100 0.1/ Should this be necessary for a well-maintained instance of SA? Again, thanks very much and just to reiterate, what I'm hoping to understand is what's causing the discrepancy between the scores. Is it my user error (can I affect which tests are triggered? Should I be performing learning somehow to affect triggering tests?) or if this is poor maintenance from the ISP ( they're not updating the software, not adding common tests, etc). Given what you've seen, is this shoddy plug'n'play for an install of SA? -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Irregular-Test-Reports-in-SA-tp115438p115481.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Irregular Test Reports in SA?
First, apologies in advance, I know this list is for seasoned users. I'm a consumer—not an administrator by any means—but posting here in hopes that the SA focus of the list will provide a clear answer. I'm on a shared web hosting plan and receiving an inordinate amount of very obvious spam. SA is enabled and email is being scanned and scored accordingly. The problem is the scores are too low (1-2) and consequently no mail management is being triggered, messages then hit my inbox. If I paste these same Spam mails into an online check service, they trigger a handful of tests that my web host's SA install seems to ignore or miss. The difference is steep, with messages scoring a range of 4 to 14 points higher, which correctly equates to the majority of the spam. These tests are comprised mostly of checks against trustworthy blocklists. Where I'm confused: Is this an obvious sign that the web host isn't updating SA appropriately, or is it normal the test reports don't match? Am I misunderstanding the scoring system? After months of back and forth with the web host, their recommendation has been to add rules and do more intensive SA learning. But the way I understand it, no amount of tweaking symbolic test scores or adding rules can make up for not running the tests to begin with. Without having root access to the SA install, can I even influence which tests are applied? If not, my only option is to leave my host for a service that keeps their SA install updated. Your insight here will help me confidently make that decision. Example of the difference in output: http://pastebin.com/ph6wZw2R Thanks very much for your help! -- View this message in context: http://spamassassin.1065346.n5.nabble.com/Irregular-Test-Reports-in-SA-tp115438.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Irregular Test Reports in SA?
grhoderick skrev den 2015-03-30 16:12: Example of the difference in output: http://pastebin.com/ph6wZw2R http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block funny that zen.spamhaus.org still works Thanks very much for your help! ask your server admins to solve this dns problem, and it will pay of to be much better spamassassin install overall
Re: Irregular Test Reports in SA?
On Mon, 30 Mar 2015, grhoderick wrote: After months of back and forth with the web host, their recommendation has been to add rules and do more intensive SA learning. But the way I understand it, no amount of tweaking symbolic test scores or adding rules can make up for not running the tests to begin with. Without having root access to the SA install, can I even influence which tests are applied? Example of the difference in output: http://pastebin.com/ph6wZw2R I assume that's for a spam? Two big things jump out: 0.0 URIBL_BLOCKED This means that your ISP's URIBL queries are exceeding the free-access limits of the URIBL provider. They should set up a separate dedicated caching recursing nameserver for their mail system so that their URIBL traffic is not aggregated with other URIBL traffic using their main name servers. However, as they are an ISP, this by itself may not be enough to drop their query traffic below the free-access threshold. They may need to contact the URIBL provider and set up a paid feed for UDIBL data. -1.9 BAYES_00 If this is the score for an obvious spam, then this stongly suggests mistraining, or autolearn that has run off the rails. How is bayes being trained? Has the ISP provided you with any way to train obviously misclassified messages? If they don't give you any way to train then they have taken that burden upon themselves, and are not doing it effectively. They probably need to wipe their database and start over from scratch. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #7: In ten years nobody will remember the details of caliber, stance, or tactics. They will only remember who lived. --- 2 days until April Fools' day
