You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Debbie D <we...@beautytech.com> on 2007/07/18 06:31:44 UTC
too much spam getting through, scores too low
I am so frustrated.. updated cpanel the other day to
WHM 11.2.0 cPanel 11.6.0-C15032
FEDORA 4 i686 - WHM X v3.1.0
Exim 4.66 on a Linux box
This in turn updated SA to 3.002001 (3.2.1 I guess)
I have run sa-update, restarted exim.. and SA runs and it definitely catches
spam.. no question there..
Exim statistics from 2007-07-15 04:06:11 to 2007-07-17 22:06:20
Received 5871
Delivered 7195
Rejects 48228
thats 66 hours and 48k spam received.. and trashed
But I am still getting way to many spams.. more than I did before the
update -- cialis, viagra, all kinds of meds, all scoring between 0.6 and 3.5
How can these mails score that low?
I used to be able to see the rules it hit on, but can no longer see this..
Also I see that since the upgrade local delivered mails are not being
scanned at all.. not that those really matter IMHO.. they come from my
forums or forms.. The SA version header is also gone from the headers..
Other settings
Reject mail at SMTP time if the spam score from spamassassin is greater than
10.0. [Ticked ON]
Reject messages with potentially dangerous attachments. [Ticked ON]
Rewrite messages SpamAssassin marks as spam with ***SPAM*** at the beginning
of the subject line. [Ticked ON]
OH WAIT.. Turn on SpamAssassin for all accounts (Global ON). is NOT
checked... and neither is use old transport system.. am I just being dumb
blond here??
But if the global is not ON.. how is SA running? OK so I am really confused
now
I did turn SA ON globally and am tailing the mail logs right now.. what I
saw when SA restarted:
Jul 17 22:30:18 server spamd[7755]: rules: meta test FM_DDDD_TIMES_2 has
dependency 'FH_HOST_EQ_D_D_D_D' with a zero score
Jul 17 22:30:18 server spamd[7755]: rules: meta test FM_SEX_HOSTDDDD has
dependency 'FH_HOST_EQ_D_D_D_D' with a zero score
Jul 17 22:30:18 server spamd[7755]: rules: meta test HS_PHARMA_1 has
dependency 'HS_SUBJ_ONLINE_PHARMACEUTICAL' with a zero score
how do I fix that??
And mails created locally from my forum and forms are still not getting
scanned, but in the past 2+ hours the spam level of those that got through
has decreased somewhat
The server also seems to be running at slightly higher loads (.90 - 1.50%)
than before.. my forum is quite busy this time of night though so it is hard
to say where that lies
thanks
Re: too much spam getting through, scores too low
Posted by Paul Griffith <pa...@cse.yorku.ca>.
On Wed, 18 Jul 2007 00:31:44 -0400, Debbie D <we...@beautytech.com>
wrote:
> I am so frustrated.. updated cpanel the other day to
> WHM 11.2.0 cPanel 11.6.0-C15032
> FEDORA 4 i686 - WHM X v3.1.0
> Exim 4.66 on a Linux box
> But I am still getting way to many spams.. more than I did before the
> update -- cialis, viagra, all kinds of meds, all scoring between 0.6 and
> 3.5
>
> How can these mails score that low?
>
> I used to be able to see the rules it hit on, but can no longer see
> this.. Also I see that since the upgrade local delivered mails are not
> being scanned at all.. not that those really matter IMHO.. they come
> from my forums or forms.. The SA version header is also gone from the
> headers..
>
I am in the same boat as you. I am running Exim 4.67 with SA v3.2.1 and I
am seeing spam that I should not.
Try to run the spam e-mail through spamassassin from the commandline.
ie. spamassassin -t < spam-email-that-got-pass-exim.txt
Let me know what you find, something is wrong with the exim<->connection.
I am not Exim expert, but maybe we can solve this problem.
Paul
Re: too much spam getting through, scores too low
Posted by Paul Griffith <pa...@cse.yorku.ca>.
On Wed, 18 Jul 2007 11:17:16 -0400, SM <sm...@resistor.net> wrote:
> At 05:39 18-07-2007, Paul Griffith wrote:
>> See this link:
>> http://www.cse.yorku.ca/~paulg/missed-spam.html
>
> Both messages scored 13.9 and hits FH_FROMEML_NOTLD,RDNS_NONE,
> URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL.
> This was tested on a system without any additional rules and without
> Bayes.
>
> Your SpamAssassin setup gave the first message a score of 4.5 and the
> second one a score of 4.6. They may not have been in the all URI
> blacklists at the time your mail server received the message. Both
> messages hit RCVD_IN_PBL and RDNS_NONE. If you add 0.5 to the score for
> any of these two rules, the scores of these messages would reach your
> threshold.
>
> Are you using Bayes? See
> http://wiki.apache.org/spamassassin/BayesInSpamAssassin
>
> Regards,
> -sm
We have bayes turned off. I will take a look at URL listed above and keep
digging!
Thanks
Paul
Re: too much spam getting through, scores too low
Posted by SM <sm...@resistor.net>.
At 05:39 18-07-2007, Paul Griffith wrote:
>See this link:
>http://www.cse.yorku.ca/~paulg/missed-spam.html
Both messages scored 13.9 and hits
FH_FROMEML_NOTLD,RDNS_NONE,
URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL.
This was tested on a system without any additional rules and without Bayes.
Your SpamAssassin setup gave the first message a score of 4.5 and the
second one a score of 4.6. They may not have been in the all URI
blacklists at the time your mail server received the message. Both
messages hit RCVD_IN_PBL and RDNS_NONE. If you add 0.5 to the score
for any of these two rules, the scores of these messages would reach
your threshold.
Are you using Bayes? See
http://wiki.apache.org/spamassassin/BayesInSpamAssassin
Regards,
-sm
Re: too much spam getting through, scores too low
Posted by Paul Griffith <pa...@cse.yorku.ca>.
On Wed, 18 Jul 2007 05:30:38 -0400, SM <sm...@resistor.net> wrote:
> At 21:31 17-07-2007, Debbie D wrote:
>> But I am still getting way to many spams.. more than I did before the
>> update -- cialis, viagra, all kinds of meds, all scoring between 0.6
>> and 3.5
>
> Post a link to some of these emails including full headers. That should
> show the rules they hit.
See this link:
http://www.cse.yorku.ca/~paulg/missed-spam.html
Debbie, are these the knid of e-mails that are by passing Exim/SA
Here are some snippets from our Exim configure file.
-------
# Content-Filtering
av_scanner = clamd:/tmp/clamd.sock
spamd_address = /tmp/spamd.sock
-------
# Reject spam messages with score >= 5
deny message = This message scored $spam_score spam points.
spam = exim:true/defer_ok
condition = ${if >{$spam_score_int}{50}{1}{0}}
# finally accept all the rest
----
local_delivery:
driver = appendfile
transport_filter = /xsys/bin/spamc -U /tmp/spamd.sock
file = /var/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
# group = mail
# mode = 0660
----
address_pipe:
driver = pipe
transport_filter = /xsys/bin/spamc -U /tmp/spamd.sock
return_fail_output
----
I can send snippets from our Exim and spamd log files.
Thanks
Paul
Re: too much spam getting through, scores too low
Posted by SM <sm...@resistor.net>.
At 21:31 17-07-2007, Debbie D wrote:
>But I am still getting way to many spams.. more than I did before
>the update -- cialis, viagra, all kinds of meds, all scoring between
>0.6 and 3.5
Post a link to some of these emails including full headers. That
should show the rules they hit.
>How can these mails score that low?
It depends on the tests performed and the rules hit.
>I used to be able to see the rules it hit on, but can no longer see
>this.. Also I see
You should also see he rules hit in your mail log.
>that since the upgrade local delivered mails are not being scanned
>at all.. not that those really matter IMHO.. they come from my
>forums or forms.. The SA version header is also gone from the headers..
SpamAssassin only assigns a score based on tests performed. It's
Exim that add these headers and accepts or rejects the message. From
your statistics it seems like emails are being scanned but if you
don't see the SA header, then something may be wrong.
>Other settings
>
>Reject mail at SMTP time if the spam score from spamassassin is
>greater than 10.0. [Ticked ON]
>Reject messages with potentially dangerous attachments. [Ticked ON]
>Rewrite messages SpamAssassin marks as spam with ***SPAM*** at the
>beginning of the subject line. [Ticked ON]
>
>OH WAIT.. Turn on SpamAssassin for all accounts (Global ON). is NOT
>checked... and neither is use old transport system.. am I just being
>dumb blond here??
>But if the global is not ON.. how is SA running? OK so I am really
>confused now
Are you sure SA is being called by Exim?
>I did turn SA ON globally and am tailing the mail logs right now..
>what I saw when SA restarted:
>Jul 17 22:30:18 server spamd[7755]: rules: meta test FM_DDDD_TIMES_2
>has dependency 'FH_HOST_EQ_D_D_D_D' with a zero score
>Jul 17 22:30:18 server spamd[7755]: rules: meta test FM_SEX_HOSTDDDD
>has dependency 'FH_HOST_EQ_D_D_D_D' with a zero score
>Jul 17 22:30:18 server spamd[7755]: rules: meta test HS_PHARMA_1 has
>dependency 'HS_SUBJ_ONLINE_PHARMACEUTICAL' with a zero score
You can ignore these three warnings.
Regards,
-sm