bayes problem

[Payal Rathod <pa...@scriptkitchen.com>]

Hi,
I am looking after a friend's email server till he returns from his 
vacation. In his local.cf (SA 2.61 and yes I know it is time for 
upgrade) file he has,
bayes_path /etc/mail/spamassassin/bayes
use_bayes  1
score BAYES_50 0.001

Also bayes is well trained with,
-rw-------    1 root     root      5263360 May  2 01:58 bayes_seen
-rw-------    1 root     root      4210688 May  2 01:58 bayes_toks

All the spam mails are forwared to an account 'spam'.
Lately his users had started complaining that they received more spam 
than ever, so I checked his spam folder and grepped for bayes in 
headers. Surprisingly, out of 500 mails none showed bayes in headers.  
Does that mean bayes has stopped working?

# sa-learn --dump magic
0.000          0          2          0  non-token data: bayes db version
0.000          0      13061          0  non-token data: nspam
0.000          0      31377          0  non-token data: nham
0.000          0     128804          0  non-token data: ntokens
0.000          0 1114158622          0  non-token data: oldest atime
0.000          0 1115016277          0  non-token data: newest atime
0.000          0 1115016659          0  non-token data: last journal 
sync atime
0.000          0 1114797900          0  non-token data: last expiry 
atime
0.000          0     639290          0  non-token data: last expire 
atime delta
0.000          0      36759          0  non-token data: last expire 
reduction count

What must be wrong?
With warm regards,
-Payal

Raising the score...

[Kevin Morwood <ke...@morwood.ca>]

Hello,

I have an old email address that a few contacts still use to reach me. 
I've tried to get everyone up to date on the new address but no luck. 
That's not really the issue though...

The reason I changed addresses was that the spam that was coming in was 
all addressed to the old address.  I see that SA has a concept of 
'blacklist_to' but that will probably be overkill...right?

If I set up whitelists for the people who I know...and who still use my 
old adress...and blacklist all other mail that is addressed to this 
address...will that work?

Is there a better way...besides begging these contacts to finally update 
their address books?  :)

TIA,
Kevin

Re: bayes problem

[Matt Kettler <mk...@evi-inc.com>]

Payal Rathod wrote:

>On Mon, May 02, 2005 at 02:11:19PM -0400, Matt Kettler wrote:
>  
>
>>How is SA called? from procmail, or something else?
>>    
>>
>
>For .qmail file with a script ifspamh
>
>  
>
>>One major problem I see is that the bayes files have permissions of 400,
>>but the bayes DB is site-wide. You generally need to use bayes_file_mode
>>    
>>
>[...]
>
>Right. Do I need 777 or just 744?
>  
>
In general 777. All users that need to access the bayes DB need to be
able to write to it, and create/delete temporary files and lock files.

This happens most extensively in the event of opportunistic expiry or
autolearning.

In your case I might do 744, just because the box isn't yours and the
admin might not want world-writable files (in which case he shouldn't be
using a global bayes DB).

However, 744  is really a half-baked solution and won't eliminate bayes
problems.

>  
>
>>As for receiving more spam than ever. Well, you're using SA 2.61, 
>>which
>>IS massively outdated. Spam is a moving target, and SpamAssassin does
>>require reasonably frequent updates to keep abreast of changing 
>>trends.
>>    
>>
>
>How safe is it to change to the new version? His is a live server and we 
>don't want to risk anything at all.
>  
>
I wouldn't be doing extensive upgrades on a box you don't normally
administer. However, you should let him know that all versions from 2.60
through 2.63 are vulnerable to a DoS attack if a person sends you a
maliciously crafted email (it's a bug in the mime decoder which was
fixed in 2.64, as well as 3.0.0)

Re: bayes problem

[Payal Rathod <pa...@scriptkitchen.com>]

On Mon, May 02, 2005 at 02:11:19PM -0400, Matt Kettler wrote:
> How is SA called? from procmail, or something else?

For .qmail file with a script ifspamh

> 
> One major problem I see is that the bayes files have permissions of 400,
> but the bayes DB is site-wide. You generally need to use bayes_file_mode
[...]

Right. Do I need 777 or just 744?

> As for receiving more spam than ever. Well, you're using SA 2.61, 
> which
> IS massively outdated. Spam is a moving target, and SpamAssassin does
> require reasonably frequent updates to keep abreast of changing 
> trends.

How safe is it to change to the new version? His is a live server and we 
don't want to risk anything at all.

With warm regards,
-Payal

Re: bayes problem

[Matt Kettler <mk...@evi-inc.com>]

Payal Rathod wrote:

>Hi,
>I am looking after a friend's email server till he returns from his 
>vacation. In his local.cf (SA 2.61 and yes I know it is time for 
>upgrade) file he has,
>bayes_path /etc/mail/spamassassin/bayes
>use_bayes  1
>score BAYES_50 0.001
>
>Also bayes is well trained with,
>-rw-------    1 root     root      5263360 May  2 01:58 bayes_seen
>-rw-------    1 root     root      4210688 May  2 01:58 bayes_toks
>
>All the spam mails are forwared to an account 'spam'.
>Lately his users had started complaining that they received more spam 
>than ever, so I checked his spam folder and grepped for bayes in 
>headers. Surprisingly, out of 500 mails none showed bayes in headers.  
>Does that mean bayes has stopped working?
>
Almost certainly. Or, it might only be working for root.

How is SA called? from procmail, or something else?

One major problem I see is that the bayes files have permissions of 400,
but the bayes DB is site-wide. You generally need to use bayes_file_mode
0777 when you specify a bayes_path in your local.cf. (If all users are
to use the same bayes DB, they all must be able to read/write the files
and have rwx to directories. Since these are deleted/recreated by SA
constantly you can't just use chmod)

If any non-root userID is used when invoking spamassassin, then the
bayes DB will not be accessible.

If he's using a MTA layer tool that always scans as root, this shouldn't
be a problem. However, if he's letting the user's procmailrc call
spamassassin or spamc this could be very troublesome. It's also trouble
if his MTA layer tool deprivleges itself to a non-root userid.

As for receiving more spam than ever. Well, you're using SA 2.61, which
IS massively outdated. Spam is a moving target, and SpamAssassin does
require reasonably frequent updates to keep abreast of changing trends.

I'll admit I'm using 2.64, but I'm also using the Mail::SpamCopURI
addon, and extensive custom rule tuning to keep up with it. Using an
out-of-the box 2.61 setup, even with bayes, hitrate is going to suffer.