Re: spam mails bypassing spamassassin?
All of that said why would it still eventually give up then and let the mail thru without any attempt to filter? On Feb 23, 2007, at 3:37 AM, David Goldsmith wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathias Homann wrote: Hi, I'm running the following mail chain: fetchmail -> postfix -> clamsmtpd -> postfix -> spamassassin 3.1.7 (as local_transport via the spamdeliver python script that came with the spamassassin sources) -> cyrus imapd (where spam gets sorted out based on its score). now, since a few days, i keep getting the same spam mail several times a day, which has _no_ spamassassin headers at all, as if it has found a way _around_ my spamassassin. Anyone got any ideas? ...where can i put the mail for general inspection? I guess if I attached it to a mail to this list, it would get filtered, right? bye, MH Check your mail log for error messages like this one: spamd[12960]: prefork: server reached --max-children setting, consider raising it We've been running spamd with '-m8' (max children spawned) for quite sometime and all of a sudden yesterday, we started getting similar behavior where email was coming through without SA headers. I'm guessing that some of the network checks we are doing are taking longer thus tying up the spawned spamd child processes longer. I bumped our -m arg from 8 to 12 (still got the error) and then to 24 -- that seems to have helped. David Goldsmith -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3rc2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF3rXv417vU8/9QfkRAv1CAJ0b6xAHyEmGj53KH+OZ7Fwxhpx2YACgn15T sNKYjCT7rPcJnDTKl3T8gIc= =AWyO -END PGP SIGNATURE-
Re: spam mails bypassing spamassassin?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathias Homann wrote: > Is that size limit configureable? | Usage: spamc [options] [-e command [args]] < message | | Options: | [..] | -s size Specify maximum message size, in bytes. | [default: 250k] - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFF4HbtxbHw2nyi/okRAqdEAJ97ORVMBfUdTRcm2v/fqR6UCvK8PwCfb1ud +UzmjAUS0J1hhKVArXtxSCo= =zRe8 -END PGP SIGNATURE-
RE: spam mails bypassing spamassassin?
I take it your saving your email on the same server that does the spam filtering? Only other thing I could think of if this is not the case is email being sent directly to your mail server via secondry mx records or something. I run a server which filters mail for clients which is what made me think of it, not sure if this is going to affect you though? Cheers Phil -Original Message- From: Mathias Homann [mailto:[EMAIL PROTECTED] Sent: Fri 2/23/2007 9:56 PM To: users@spamassassin.apache.org Subject: spam mails bypassing spamassassin? Hi, I'm running the following mail chain: fetchmail -> postfix -> clamsmtpd -> postfix -> spamassassin 3.1.7 (as local_transport via the spamdeliver python script that came with the spamassassin sources) -> cyrus imapd (where spam gets sorted out based on its score). now, since a few days, i keep getting the same spam mail several times a day, which has _no_ spamassassin headers at all, as if it has found a way _around_ my spamassassin. Anyone got any ideas? ...where can i put the mail for general inspection? I guess if I attached it to a mail to this list, it would get filtered, right? bye, MH
Re: spam mails bypassing spamassassin?
Am Freitag 23 Februar 2007 schrieb Mathias Homann: > Am Freitag, 23. Februar 2007 16:12:59 schrieb Matt Kettler: > > Mathias Homann wrote: > > > Hi, > > > > > > > > > I'm running the following mail chain: > > > fetchmail -> postfix -> clamsmtpd -> postfix -> spamassassin 3.1.7 (as > > > local_transport via the spamdeliver python script that came with the > > > spamassassin sources) -> cyrus imapd (where spam gets sorted out based > > > on its score). > > > > > > now, since a few days, i keep getting the same spam mail several times > > > a day, which has _no_ spamassassin headers at all, as if it has found a > > > way _around_ my spamassassin. > > > > > > Anyone got any ideas? > > > > How big was the message? I see it had and .xls file attached. Was it > > over the default 250k limit that spamc will, by default, bypass > > scanning after? > > it actually _was_ that big... close to 400k actually. > > So, if a spammer wants to be sure that his crap doesn't get booted, all he > needs to do is attach enough image spams to go over that 250kbyte limit??? > > > somehow I don't like that. > > Is that size limit configureable? or even better: make that two limits, the smaller one tells spamassassin not to check the body anymore (that could be the 250kb size limit) and the other one tells SA to skip the whole mail (this limit should be noticeably bigger). with that it would at least be possible to blacklist huge spams. bye, MH -- Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
Re: spam mails bypassing spamassassin?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Goldsmith wrote: > Check your mail log for error messages like this one: > > spamd[12960]: prefork: server reached --max-children setting, consider > raising it > > We've been running spamd with '-m8' (max children spawned) for quite > sometime and all of a sudden yesterday, we started getting similar > behavior where email was coming through without SA headers. > > I'm guessing that some of the network checks we are doing are taking > longer thus tying up the spawned spamd child processes longer. I bumped > our -m arg from 8 to 12 (still got the error) and then to 24 -- that > seems to have helped. Ok, I've dug into this some more because we've suddenly been having a lot of problems with this. Searching for references to that error message, I came across this old post -- http://www.nabble.com/Spamd-child-states--t2223988.html I grepped through our maillog for 'child states' and saw this: Feb 23 15:04:44 iceman14 spamd[12960]: prefork: child states: Feb 23 15:04:47 iceman14 spamd[12960]: prefork: child states: Feb 23 15:04:53 iceman14 spamd[12960]: prefork: child states: Feb 23 15:05:07 iceman14 spamd[12960]: prefork: child states: Feb 23 15:05:22 iceman14 spamd[12960]: prefork: child states: Feb 23 15:05:28 iceman14 spamd[12960]: prefork: child states: Feb 23 15:05:35 iceman14 spamd[12960]: prefork: child states: Feb 23 15:05:44 iceman14 spamd[12960]: prefork: child states: Feb 23 15:05:49 iceman14 spamd[12960]: prefork: child states: Feb 23 15:05:59 iceman14 spamd[12960]: prefork: child states: Feb 23 15:06:02 iceman14 spamd[12960]: prefork: child states: Feb 23 15:06:03 iceman14 spamd[12960]: prefork: child states: Doesn't look good. I went looking for other errors in the log and saw timeout errors involving ixhash: spamd[29382]: ixhash timeout reached at /etc/mail/spamassassin/iXhash.pm line 91. Is anyone experiencing problems connecting to the iXHash servers? I removed the iXhash.cf and iXhash.pm files from /etc/mail/spamassassin and restarted it. Now our child state log entries look like: Feb 23 15:32:09 iceman14 spamd[29656]: prefork: child states: BI Feb 23 15:32:10 iceman14 spamd[29656]: prefork: child states: IB Feb 23 15:32:14 iceman14 spamd[29656]: prefork: child states: II Feb 23 15:32:23 iceman14 spamd[29656]: prefork: child states: BB Feb 23 15:32:23 iceman14 spamd[29656]: prefork: child states: BBB Feb 23 15:32:23 iceman14 spamd[29656]: prefork: child states: Feb 23 15:32:23 iceman14 spamd[29656]: prefork: child states: B Feb 23 15:32:23 iceman14 spamd[29656]: prefork: child states: BB Feb 23 15:32:23 iceman14 spamd[29656]: prefork: child states: BBB Feb 23 15:32:23 iceman14 spamd[29656]: prefork: child states: BBBI Feb 23 15:32:25 iceman14 spamd[29656]: prefork: child states: IBBI Feb 23 15:32:28 iceman14 spamd[29656]: prefork: child states: IIBI Feb 23 15:32:28 iceman14 spamd[29656]: prefork: child states: IIBK Feb 23 15:32:28 iceman14 spamd[29656]: prefork: child states: IBIBBIB Feb 23 15:32:28 iceman14 spamd[29656]: prefork: child states: IBIBBB Feb 23 15:32:28 iceman14 spamd[29656]: prefork: child states: IIIBBB Feb 23 15:32:28 iceman14 spamd[29656]: prefork: child states: IIBBB Feb 23 15:32:28 iceman14 spamd[29656]: prefork: child states: IIBIB Feb 23 15:32:28 iceman14 spamd[29656]: prefork: child states: IIBKB Feb 23 15:32:29 iceman14 spamd[29656]: prefork: child states: IIBI Feb 23 15:32:29 iceman14 spamd[29656]: prefork: child states: IIBK Feb 23 15:32:31 iceman14 spamd[29656]: prefork: child states: III Feb 23 15:32:31 iceman14 spamd[29656]: prefork: child states: II Feb 23 15:32:37 iceman14 spamd[29656]: prefork: child states: BI Feb 23 15:32:38 iceman14 spamd[29656]: prefork: child states: II Periodic spikes as bursts of messages come through but then the children spamd processes get cleaned up. David Goldsmith -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3rc2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF3w/h417vU8/9QfkRArs3AKC0E9aNpuYVrjOycoRY6lf1U7lzFACeLgfD YCb+3YEV9iBun2PNgjdVeOA= =oEu1 -END PGP SIGNATURE-
Re: spam mails bypassing spamassassin?
Am Freitag, 23. Februar 2007 16:12:59 schrieb Matt Kettler: > Mathias Homann wrote: > > Hi, > > > > > > I'm running the following mail chain: > > fetchmail -> postfix -> clamsmtpd -> postfix -> spamassassin 3.1.7 (as > > local_transport via the spamdeliver python script that came with the > > spamassassin sources) -> cyrus imapd (where spam gets sorted out based on > > its score). > > > > now, since a few days, i keep getting the same spam mail several times a > > day, which has _no_ spamassassin headers at all, as if it has found a way > > _around_ my spamassassin. > > > > Anyone got any ideas? > > How big was the message? I see it had and .xls file attached. Was it > over the default 250k limit that spamc will, by default, bypass > scanning after? it actually _was_ that big... close to 400k actually. So, if a spammer wants to be sure that his crap doesn't get booted, all he needs to do is attach enough image spams to go over that 250kbyte limit??? somehow I don't like that. Is that size limit configureable? bye, MH
Re: spam mails bypassing spamassassin?
Mathias Homann wrote: > Hi, > > > I'm running the following mail chain: > fetchmail -> postfix -> clamsmtpd -> postfix -> spamassassin 3.1.7 (as > local_transport via the spamdeliver python script that came with the > spamassassin sources) -> cyrus imapd (where spam gets sorted out based on its > score). > > now, since a few days, i keep getting the same spam mail several times a day, > which has _no_ spamassassin headers at all, as if it has found a way _around_ > my spamassassin. > > Anyone got any ideas? > How big was the message? I see it had and .xls file attached. Was it over the default 250k limit that spamc will, by default, bypass scanning after? >
Re: spam mails bypassing spamassassin?
Am Freitag, 23. Februar 2007 10:37:51 schrieb David Goldsmith: > > Check your mail log for error messages like this one: > > spamd[12960]: prefork: server reached --max-children setting, consider > raising it > > We've been running spamd with '-m8' (max children spawned) for quite > sometime and all of a sudden yesterday, we started getting similar > behavior where email was coming through without SA headers. > > I'm guessing that some of the network checks we are doing are taking > longer thus tying up the spawned spamd child processes longer. I bumped > our -m arg from 8 to 12 (still got the error) and then to 24 -- that > seems to have helped. > > David Goldsmith nothing like that in my mail log. in fact, i dont even see a line reading "spamd: processing message $MSGID" for the offending mails in my mail log... the last bits in my mail log about the message id of the offending message is when its comes out of clamsmtpd, and gets passed to "spamcheck" which is my local transport through spamd and then into imap. but no spamd lines about that mail. bye, MH
Re: spam mails bypassing spamassassin?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathias Homann wrote: > Hi, > > > I'm running the following mail chain: > fetchmail -> postfix -> clamsmtpd -> postfix -> spamassassin 3.1.7 (as > local_transport via the spamdeliver python script that came with the > spamassassin sources) -> cyrus imapd (where spam gets sorted out based on its > score). > > now, since a few days, i keep getting the same spam mail several times a day, > which has _no_ spamassassin headers at all, as if it has found a way _around_ > my spamassassin. > > Anyone got any ideas? > > ...where can i put the mail for general inspection? I guess if I attached it > to a mail to this list, it would get filtered, right? > > > bye, > MH > Check your mail log for error messages like this one: spamd[12960]: prefork: server reached --max-children setting, consider raising it We've been running spamd with '-m8' (max children spawned) for quite sometime and all of a sudden yesterday, we started getting similar behavior where email was coming through without SA headers. I'm guessing that some of the network checks we are doing are taking longer thus tying up the spawned spamd child processes longer. I bumped our -m arg from 8 to 12 (still got the error) and then to 24 -- that seems to have helped. David Goldsmith -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3rc2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF3rXv417vU8/9QfkRAv1CAJ0b6xAHyEmGj53KH+OZ7Fwxhpx2YACgn15T sNKYjCT7rPcJnDTKl3T8gIc= =AWyO -END PGP SIGNATURE-
Re: spam mails bypassing spamassassin?
Am Freitag, 23. Februar 2007 10:06:06 schrieb Mathias Homann: > Am Freitag, 23. Februar 2007 09:56:29 schrieb Mathias Homann: > > now, since a few days, i keep getting the same spam mail several times a > > day, which has _no_ spamassassin headers at all, as if it has found a way > > _around_ my spamassassin. > > by the way... when i run that offending mail manually through > spamassassin -D -t, it gets scored just fine (and with its score of over > 30, sieve on my imap would have gotten rid of it). > > > bye, > MH mail sits at http://pastebin.com/887137 bye, MH
Re: spam mails bypassing spamassassin?
Am Freitag, 23. Februar 2007 09:56:29 schrieb Mathias Homann: > now, since a few days, i keep getting the same spam mail several times a > day, which has _no_ spamassassin headers at all, as if it has found a way > _around_ my spamassassin. by the way... when i run that offending mail manually through spamassassin -D -t, it gets scored just fine (and with its score of over 30, sieve on my imap would have gotten rid of it). bye, MH
spam mails bypassing spamassassin?
Hi, I'm running the following mail chain: fetchmail -> postfix -> clamsmtpd -> postfix -> spamassassin 3.1.7 (as local_transport via the spamdeliver python script that came with the spamassassin sources) -> cyrus imapd (where spam gets sorted out based on its score). now, since a few days, i keep getting the same spam mail several times a day, which has _no_ spamassassin headers at all, as if it has found a way _around_ my spamassassin. Anyone got any ideas? ...where can i put the mail for general inspection? I guess if I attached it to a mail to this list, it would get filtered, right? bye, MH