Problem being seen: I recently switched to spamd / spamc from running spamassassin out of my procmail. This is on a mail system I administer, but with the switch, i saw an upsurge in spam making it's way through. I've been keeping a watch on the various tests being triggered, and haven't seen any of the DNSRBL's or SURBL's. I look at the older spam emails i've captured, and they were frequently being triggered. I managed to go ahead and take an old email, strip off everything that SA had added, and ran it through both spamassassin & spamc. I came up with different results. Here's the current configs, and then I'll go into my testing methodology.
I'm running spamassassin 3.02, on a Mac OS X 10.2.8 machine. It has razor2 installed, along with the various cpan parts needed for net tests.
Just to give the current config:
Spamd is run as root with: /usr/bin/spamd -d --socketpath=/var/run/spamd.sock
spamc is run by the user from procmail with:
:0fw: spamassassin.lock * < 256000 | /usr/bin/spamc -U /var/run/spamd.sock
----- spamassassin used to run with: | /usr/bin/spamassassin
-----
I only have 2 things in my user_prefs score RCVD_IN_BL_SPAMCOP_NET 3 score RAZOR2_CHECK 3 -----
I've confirmed that the spamd daemon is dropping to the right user by watching the logs:
Apr 17 18:22:54 neuromancer spamd[26173]: got connection over /var/run/spamd.sock
Apr 17 18:22:54 neuromancer spamd[26173]: info: setuid to mbarr succeeded
Apr 17 18:22:54 neuromancer spamd[26173]: processing message <[EMAIL PROTECTED]> for mbarr:501.
Apr 17 18:22:57 neuromancer spamd[26173]: clean message (-2.5/5.0) for mbarr:501 in 2.7 seconds, 12724 bytes.
Apr 17 18:22:57 neuromancer spamd[26173]: result: . -2 - BAYES_00,MSGID_FROM_MTA_HEADER,NO_REAL_NAME scantime=2.7,size=12724,mid=<[EMAIL PROTECTED] org>,bayes=0,autolearn=no
------
I took an old spam (from about 2 weeks ago), and stripped the SA envelope from it to get the original message. I captured that to a file, and looked it over to make sure it had Recieved-Froms:, etc. I then ran it through these 2 programs, from the command line:
cat ~/mail/123 | spamassassin -t cat ~/mail/123 | /usr/bin/spamc -U /var/run/spamd.sock
I got a drastically different result. From spamassassin, i got this:
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
xxx.xxx.net
X-Spam-Level: ****************************
X-Spam-Status: Yes, score=28.2 required=5.0 tests=AWL,BAYES_99,
DNS_FROM_RFC_BOGUSMX,DNS_FROM_RFC_POST,HTML_IMAGE_ONLY_16,
HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MPART_ALT_DIFF,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_HELO_IP_MISMATCH,
RCVD_ILLEGAL_IP,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,
RCVD_IN_NJABL_PROXY,RCVD_IN_SORBS_HTTP,RCVD_IN_SORBS_MISC,
RCVD_IN_SORBS_WEB,RCVD_IN_XBL,RCVD_NUMERIC_HELO,URIBL_AB_SURBL,
URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL
autolearn=unavailable version=3.0.2From spamc, i got this:
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
xxx.xxx.net
X-Spam-Level: ****************
X-Spam-Status: Yes, score=16.2 required=5.0 tests=AWL,BAYES_99,
HTML_IMAGE_ONLY_16,HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,
MPART_ALT_DIFF,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
RCVD_HELO_IP_MISMATCH,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO autolearn=no
version=3.0.2
(with an associated log of spamd of:
Apr 17 18:46:37 neuromancer spamd[26073]: got connection over /var/run/spamd.sock
Apr 17 18:46:37 neuromancer spamd[26073]: info: setuid to mbarr succeeded
Apr 17 18:46:37 neuromancer spamd[26073]: processing message <[EMAIL PROTECTED]> for mbarr:501.
Apr 17 18:46:38 neuromancer spamd[26073]: identified spam (16.2/5.0) for mbarr:501 in 1.0 seconds, 2472 bytes.
Apr 17 18:46:38 neuromancer spamd[26073]: result: Y 16 - AWL,BAYES_99,HTML_IMAGE_ONLY_16,HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ON LY_MULTI,MPART_ALT_DIFF,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_HELO_IP _MISMATCH,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO scantime=1.0,size=2472,mid=<[EMAIL PROTECTED] oo.com>,bayes=1,autolearn=no
)
So, i'd say that something is happening that's not supposed to be. I'm running the network tests, as I'm twigging the razor2 rules. It must be something else...
Anyone have any thoughts?
Matthew
Matthew Barr Managing Partner Datalyte Consulting, LLC Apple Authorized Reseller mailto:[EMAIL PROTECTED] cell: (646) 765-6878
