You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "L. Mark Stone" <lm...@rnome.com> on 2006/06/11 16:08:31 UTC
Help With Configuration Issue
Started noticing the system flagging spam emails but not deleting them:
Jun 11 07:37:13 pinot postfix/smtpd[8568]: connect from unknown[160.79.37.83]
Jun 11 07:37:14 pinot postfix/smtpd[8568]: 9F6CBE88001:
client=unknown[160.79.37.83]
Jun 11 07:37:16 pinot postfix/cleanup[11935]: 9F6CBE88001:
message-id=<75...@ninhhyZ-miehham>
Jun 11 07:37:16 pinot postfix/qmgr[7184]: 9F6CBE88001:
from=<Mo...@nkastream.com>, size=4038, nrcpt=1 (queue active)
Jun 11 07:37:16 pinot amavis[10738]: (10738-04) ESMTP::10024
/var/spool/amavis/tmp/amavis-20060611T044830-10738:
<Mo...@nkastream.com> -> <realemailaddressremoved> Received:
SIZE=4038 BODY=8BITMIME from pinot.rnome.com ([127.0.0.1]) by
localhost (pinot [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id
10738-04 for <realemailaddressremoved>; Sun, 11 Jun 2006 07:37:16
-0400 (EDT)
Jun 11 07:37:16 pinot amavis[10738]: (10738-04) Checking:
<Mo...@nkastream.com> -> <rm...@smsllc.com>
Jun 11 07:37:18 pinot amavis[10738]: (10738-04) spam_scan: hits=24.677
tests=BAYES_99,HTML_50_60,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,HTML_TEXT_AFTER_BODY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,TW_EH,TW_NH,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL
Jun 11 07:37:18 pinot amavis[10738]: (10738-04) SPAM,
<Mo...@nkastream.com> -> <realemailaddressremoved>, Yes,
hits=24.7 tag1=-999.0 tag2=4.0 kill=4.0 tests=BAYES_99, HTML_50_60,
HTML_IMAGE_ONLY_20, HTML_MESSAGE, HTML_SHORT_LINK_IMG_3,
HTML_TEXT_AFTER_BODY, RAZOR2_CF_RANGE_51_100,
RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CF_RANGE_E8_51_100, RAZOR2_CHECK,
TW_EH, TW_NH, URIBL_JP_SURBL, URIBL_OB_SURBL, URIBL_SBL, URIBL_WS_SURBL
Jun 11 07:37:18 pinot amavis[10738]: (10738-04) FWD via SMTP:
[127.0.0.1]:10025 <Mo...@nkastream.com> ->
<realemailaddressremoved>
System is SuSE Linux Enterprise Server9 with spamassassin 3.1.0 and amavis
Spamassassin lints OK, and here are relevant portions of
/etc/amavisd.conf (probably may wordwrap).
$sa_tag_level_deflt = -999.0; # add spam info headers if at, or above
that level
$sa_tag2_level_deflt = 4.0;
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
# at or above that level: bounce/reject/drop,
# quarantine, and adding mail address extension
$sa_dsn_cutoff_level = 6.5; # spam level beyond which a DSN is not sent,
# effectively turning D_BOUNCE into D_DISCARD;
# undef disables this feature and is a default;
$sa_spam_subject_tag = '***SPAM*** '; # (defaults to undef, disabled)
# (only seen when spam is not to be rejected
# and recipient is in local_domains*)
Given the configuration, I would have expected the message to have
been discarded. What did I miss?
Thanks,
Mark
--
_________________________________________________________
A Message From... L. Mark Stone
Reliable Networks of Maine, LLC
"We manage your network so you can manage your business"
477 Congress Street
Portland, ME 04101
Tel: (207) 772-5678
Web: http://www.rnome.com
This email was sent from Reliable Networks of Maine LLC.
It may contain information that is privileged and confidential.
If you suspect that you were not intended to receive it, please
delete it and notify us as soon as possible. Thank you.
Re: Help With Configuration Issue
Posted by "L. Mark Stone" <lm...@rnome.com>.
Quoting Bill Randle <bi...@neocat.org>:
> On Sun, 2006-06-11 at 10:08 -0400, L. Mark Stone wrote:
>> Started noticing the system flagging spam emails but not deleting them:
> [cut]
>> Jun 11 07:37:18 pinot amavis[10738]: (10738-04) spam_scan: hits=24.677
>> tests=BAYES_99,HTML_50_60,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,HTML_TEXT_AFTER_BODY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,TW_EH,TW_NH,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL
>> Jun 11 07:37:18 pinot amavis[10738]: (10738-04) SPAM,
>> <Mo...@nkastream.com> -> <realemailaddressremoved>, Yes,
>> hits=24.7 tag1=-999.0 tag2=4.0 kill=4.0 tests=BAYES_99, HTML_50_60,
>> HTML_IMAGE_ONLY_20, HTML_MESSAGE, HTML_SHORT_LINK_IMG_3,
>> HTML_TEXT_AFTER_BODY, RAZOR2_CF_RANGE_51_100,
>> RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CF_RANGE_E8_51_100, RAZOR2_CHECK,
>> TW_EH, TW_NH, URIBL_JP_SURBL, URIBL_OB_SURBL, URIBL_SBL, URIBL_WS_SURBL
>> Jun 11 07:37:18 pinot amavis[10738]: (10738-04) FWD via SMTP:
>> [127.0.0.1]:10025 <Mo...@nkastream.com> ->
>> <realemailaddressremoved>
>>
>> System is SuSE Linux Enterprise Server9 with spamassassin 3.1.0 and amavis
>>
>> Spamassassin lints OK, and here are relevant portions of
>> /etc/amavisd.conf (probably may wordwrap).
> [cut]
>
>> Given the configuration, I would have expected the message to have
>> been discarded. What did I miss?
>
> By any chance did you accidentally set $final_spam_destiny to D_PASS in
> the config file? There's a line that does this, but it's commented out
> by default.
>
> -Bill
Bill,
We did have $final_spam_destiny to D_PASS but have now changed this to
D_DISCARD and increased the discard level from 4.0 to 5.0. Not as
high as you suggested, but since I have been grepping the mail logs,
we have had no false positives.
Thanks for that great catch; that will save me from doing some regexp
work in Postfix to combat backscatter.
All the best,
Mark
--
_________________________________________________________
A Message From... L. Mark Stone
Reliable Networks of Maine, LLC
"We manage your network so you can manage your business"
477 Congress Street
Portland, ME 04101
Tel: (207) 772-5678
Web: http://www.rnome.com
This email was sent from Reliable Networks of Maine LLC.
It may contain information that is privileged and confidential.
If you suspect that you were not intended to receive it, please
delete it and notify us as soon as possible. Thank you.
Re: Help With Configuration Issue
Posted by Gary V <mr...@hotmail.com>.
>Yes, discarding is not only controlled by $sa_kill_level_deflt by also by
>$final_spam_desiny and whether a quarantine is configured or not, and if
>quarantine is configured, then also $sa_quarantine_cutoff_level. This is
>not a SpamAssassin question, it is an amavisd-new question.
Having said that, if a larger than normal percentage of spam scores at 4.0
or below, and that is why you want to discard at a score of 4.0, then that
would be a concern and that *is* a SpamAssassin question.
Gary V
_________________________________________________________________
Dont just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Re: Help With Configuration Issue
Posted by Gary V <mr...@hotmail.com>.
> > Given the configuration, I would have expected the message to have
> > been discarded. What did I miss?
>
>By any chance did you accidentally set $final_spam_destiny to D_PASS in
>the config file? There's a line that does this, but it's commented out
>by default.
>
> -Bill
Yes, discarding is not only controlled by $sa_kill_level_deflt by also by
$final_spam_desiny and whether a quarantine is configured or not, and if
quarantine is configured, then also $sa_quarantine_cutoff_level. This is not
a SpamAssassin question, it is an amavisd-new question.
This may help:
http://www200.pair.com/mecham/spam/amavisd-settings.html
BTW, if you are really going to discard mail that scores 4.0 or higher, you
will loose legitimate mail. If anything, I would suggest accepting mail up
to a score of somewhere around 7.0 and marking mail between 4.0 and 7.0 as
***SPAM*** on the Subject: line.
Maybe something like this:
$final_spam_destiny = D_DISCARD;
$spam_quarantine_to = 'spam-quarantine';
$sa_tag_level_deflt = -999;
$sa_tag2_level_deflt = 4.0;
$sa_kill_level_deflt = 7.0;
$sa_spam_subject_tag = '***SPAM*** ';
$sa_quarantine_cutoff_level = 14;
Then set up a cron job to delete items in the quarantine that are older than
60 days or something.
If by 'discard' you mean quarantine, then it is still not a good idea to
quarantine at such a low level. You are more likely to find ham in the
quarantine which means you will spend more time searching for items in the
quarantine which ends up being counterproductive.
My 0.02
Gary V
_________________________________________________________________
Dont just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Re: Help With Configuration Issue
Posted by Bill Randle <bi...@neocat.org>.
On Sun, 2006-06-11 at 10:08 -0400, L. Mark Stone wrote:
> Started noticing the system flagging spam emails but not deleting them:
[cut]
> Jun 11 07:37:18 pinot amavis[10738]: (10738-04) spam_scan: hits=24.677
> tests=BAYES_99,HTML_50_60,HTML_IMAGE_ONLY_20,HTML_MESSAGE,HTML_SHORT_LINK_IMG_3,HTML_TEXT_AFTER_BODY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,TW_EH,TW_NH,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL
> Jun 11 07:37:18 pinot amavis[10738]: (10738-04) SPAM,
> <Mo...@nkastream.com> -> <realemailaddressremoved>, Yes,
> hits=24.7 tag1=-999.0 tag2=4.0 kill=4.0 tests=BAYES_99, HTML_50_60,
> HTML_IMAGE_ONLY_20, HTML_MESSAGE, HTML_SHORT_LINK_IMG_3,
> HTML_TEXT_AFTER_BODY, RAZOR2_CF_RANGE_51_100,
> RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CF_RANGE_E8_51_100, RAZOR2_CHECK,
> TW_EH, TW_NH, URIBL_JP_SURBL, URIBL_OB_SURBL, URIBL_SBL, URIBL_WS_SURBL
> Jun 11 07:37:18 pinot amavis[10738]: (10738-04) FWD via SMTP:
> [127.0.0.1]:10025 <Mo...@nkastream.com> ->
> <realemailaddressremoved>
>
> System is SuSE Linux Enterprise Server9 with spamassassin 3.1.0 and amavis
>
> Spamassassin lints OK, and here are relevant portions of
> /etc/amavisd.conf (probably may wordwrap).
[cut]
> Given the configuration, I would have expected the message to have
> been discarded. What did I miss?
By any chance did you accidentally set $final_spam_destiny to D_PASS in
the config file? There's a line that does this, but it's commented out
by default.
-Bill