You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matthew Barr <mb...@mbarr.net> on 2005/04/18 00:52:19 UTC
spamc/d not doing SURBL lookups vs spamassassin w/ same config
I've looked throught the Wiki, Faq's, Readme's, and GMANE's archives &
searches on this list. Oh, and Google.. and haven't found anything
that would describe or fix what's happening.
Problem being seen: I recently switched to spamd / spamc from running
spamassassin out of my procmail. This is on a mail system I
administer, but with the switch, i saw an upsurge in spam making it's
way through. I've been keeping a watch on the various tests being
triggered, and haven't seen any of the DNSRBL's or SURBL's. I look at
the older spam emails i've captured, and they were frequently being
triggered. I managed to go ahead and take an old email, strip off
everything that SA had added, and ran it through both spamassassin &
spamc. I came up with different results. Here's the current configs,
and then I'll go into my testing methodology.
I'm running spamassassin 3.02, on a Mac OS X 10.2.8 machine. It has
razor2 installed, along with the various cpan parts needed for net
tests.
Just to give the current config:
Spamd is run as root with: /usr/bin/spamd -d
--socketpath=/var/run/spamd.sock
spamc is run by the user from procmail with:
:0fw: spamassassin.lock
* < 256000
| /usr/bin/spamc -U /var/run/spamd.sock
-----
spamassassin used to run with:
| /usr/bin/spamassassin
-----
I only have 2 things in my user_prefs
score RCVD_IN_BL_SPAMCOP_NET 3
score RAZOR2_CHECK 3
-----
I've confirmed that the spamd daemon is dropping to the right user by
watching the logs:
Apr 17 18:22:54 neuromancer spamd[26173]: got connection over
/var/run/spamd.sock
Apr 17 18:22:54 neuromancer spamd[26173]: info: setuid to mbarr
succeeded
Apr 17 18:22:54 neuromancer spamd[26173]: processing message
<11...@spamassassin.apache.org> for mbarr:501.
Apr 17 18:22:57 neuromancer spamd[26173]: clean message (-2.5/5.0) for
mbarr:501 in 2.7 seconds, 12724 bytes.
Apr 17 18:22:57 neuromancer spamd[26173]: result: . -2 -
BAYES_00,MSGID_FROM_MTA_HEADER,NO_REAL_NAME
scantime=2.7,size=12724,mid=<1113776572.85851.ezmlm@spamassassin.apache.
org>,bayes=0,autolearn=no
------
I took an old spam (from about 2 weeks ago), and stripped the SA
envelope from it to get the original message. I captured that to a
file, and looked it over to make sure it had Recieved-Froms:, etc. I
then ran it through these 2 programs, from the command line:
cat ~/mail/123 | spamassassin -t
cat ~/mail/123 | /usr/bin/spamc -U /var/run/spamd.sock
I got a drastically different result. From spamassassin, i got this:
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
xxx.xxx.net
X-Spam-Level: ****************************
X-Spam-Status: Yes, score=28.2 required=5.0 tests=AWL,BAYES_99,
DNS_FROM_RFC_BOGUSMX,DNS_FROM_RFC_POST,HTML_IMAGE_ONLY_16,
HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MPART_ALT_DIFF,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_HELO_IP_MISMATCH,
RCVD_ILLEGAL_IP,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,
RCVD_IN_NJABL_PROXY,RCVD_IN_SORBS_HTTP,RCVD_IN_SORBS_MISC,
RCVD_IN_SORBS_WEB,RCVD_IN_XBL,RCVD_NUMERIC_HELO,URIBL_AB_SURBL,
URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL
autolearn=unavailable version=3.0.2
From spamc, i got this:
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
xxx.xxx.net
X-Spam-Level: ****************
X-Spam-Status: Yes, score=16.2 required=5.0 tests=AWL,BAYES_99,
HTML_IMAGE_ONLY_16,HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,
MPART_ALT_DIFF,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
RCVD_HELO_IP_MISMATCH,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO
autolearn=no
version=3.0.2
(with an associated log of spamd of:
Apr 17 18:46:37 neuromancer spamd[26073]: got connection over
/var/run/spamd.sock
Apr 17 18:46:37 neuromancer spamd[26073]: info: setuid to mbarr
succeeded
Apr 17 18:46:37 neuromancer spamd[26073]: processing message
<62...@web73005.mail.yahoo.com> for mbarr:501.
Apr 17 18:46:38 neuromancer spamd[26073]: identified spam (16.2/5.0)
for mbarr:501 in 1.0 seconds, 2472 bytes.
Apr 17 18:46:38 neuromancer spamd[26073]: result: Y 16 -
AWL,BAYES_99,HTML_IMAGE_ONLY_16,HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ON
LY_MULTI,MPART_ALT_DIFF,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_HELO_IP
_MISMATCH,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO
scantime=1.0,size=2472,mid=<62044692010937.23693.qmail@web73005.mail.yah
oo.com>,bayes=1,autolearn=no
)
So, i'd say that something is happening that's not supposed to be. I'm
running the network tests, as I'm twigging the razor2 rules. It must
be something else...
Anyone have any thoughts?
Matthew
Matthew Barr
Managing Partner
Datalyte Consulting, LLC
Apple Authorized Reseller
mailto:mbarr@datalyte.com
cell: (646) 765-6878
Re: spamc/d not doing SURBL lookups vs spamassassin w/ same config
Posted by Kelly Corbin <kc...@theiqgroup.com>.
What does spamassassin -D --lint say? Especially about the Net::DNS
module? It definitely looks like you are not doing the network tests in
the second test you ran. It should say something like this:
debug: diag: module installed: Net::DNS, version 0.48
Then further down it should mention the URIDNSBL modules:
debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
debug: plugin: registered
Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9924958)
debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC
debug: plugin: registered
Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9927820)
debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x99473f4)
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9924958)
implements '
parse_config'
And then this:
debug: is Net::DNS::Resolver available? yes
debug: Net::DNS version: 0.48
debug: trying (3) intel.com...
debug: looking up NS for 'intel.com'
debug: NS lookup of intel.com succeeded => Dns available (set
dns_available to hardcode)
debug: is DNS available? 1
I had a couple of machines that had DNS issues. On one, the DNS module
was installed, but too old and I didn't see that it was a problem (just
that there were no DNS checks in the headers, which I realized later)
until I ran the above test. On another, a new enough Net::DNS was
installed, but because of platform issues, it couldn't find the DNS.pm
in the @INC path.
The weird thing is explaining the discrepancy between running
spamassassin and spamc which do the same things.
Kelly
Matthew Barr wrote:
> I've looked throught the Wiki, Faq's, Readme's, and GMANE's archives &
> searches on this list. Oh, and Google.. and haven't found anything
> that would describe or fix what's happening.
>
>
> Problem being seen: I recently switched to spamd / spamc from running
> spamassassin out of my procmail. This is on a mail system I
> administer, but with the switch, i saw an upsurge in spam making it's
> way through. I've been keeping a watch on the various tests being
> triggered, and haven't seen any of the DNSRBL's or SURBL's. I look at
> the older spam emails i've captured, and they were frequently being
> triggered. I managed to go ahead and take an old email, strip off
> everything that SA had added, and ran it through both spamassassin &
> spamc. I came up with different results. Here's the current configs,
> and then I'll go into my testing methodology.
>
>
>
>
> I'm running spamassassin 3.02, on a Mac OS X 10.2.8 machine. It has
> razor2 installed, along with the various cpan parts needed for net tests.
>
>
> Just to give the current config:
>
> Spamd is run as root with: /usr/bin/spamd -d
> --socketpath=/var/run/spamd.sock
> spamc is run by the user from procmail with:
>
> :0fw: spamassassin.lock
> * < 256000
> | /usr/bin/spamc -U /var/run/spamd.sock
>
> -----
> spamassassin used to run with:
> | /usr/bin/spamassassin
>
> -----
>
> I only have 2 things in my user_prefs
> score RCVD_IN_BL_SPAMCOP_NET 3
> score RAZOR2_CHECK 3
> -----
>
> I've confirmed that the spamd daemon is dropping to the right user by
> watching the logs:
> Apr 17 18:22:54 neuromancer spamd[26173]: got connection over
> /var/run/spamd.sock
> Apr 17 18:22:54 neuromancer spamd[26173]: info: setuid to mbarr succeeded
> Apr 17 18:22:54 neuromancer spamd[26173]: processing message
> <11...@spamassassin.apache.org> for mbarr:501.
> Apr 17 18:22:57 neuromancer spamd[26173]: clean message (-2.5/5.0) for
> mbarr:501 in 2.7 seconds, 12724 bytes.
> Apr 17 18:22:57 neuromancer spamd[26173]: result: . -2 -
> BAYES_00,MSGID_FROM_MTA_HEADER,NO_REAL_NAME
> scantime=2.7,size=12724,mid=<1113776572.85851.ezmlm@spamassassin.apache.
> org>,bayes=0,autolearn=no
>
>
> ------
>
> I took an old spam (from about 2 weeks ago), and stripped the SA
> envelope from it to get the original message. I captured that to a
> file, and looked it over to make sure it had Recieved-Froms:, etc. I
> then ran it through these 2 programs, from the command line:
>
> cat ~/mail/123 | spamassassin -t
> cat ~/mail/123 | /usr/bin/spamc -U /var/run/spamd.sock
>
>
> I got a drastically different result. From spamassassin, i got this:
>
> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
> xxx.xxx.net
> X-Spam-Level: ****************************
> X-Spam-Status: Yes, score=28.2 required=5.0 tests=AWL,BAYES_99,
> DNS_FROM_RFC_BOGUSMX,DNS_FROM_RFC_POST,HTML_IMAGE_ONLY_16,
> HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MPART_ALT_DIFF,
> RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_HELO_IP_MISMATCH,
> RCVD_ILLEGAL_IP,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,
> RCVD_IN_NJABL_PROXY,RCVD_IN_SORBS_HTTP,RCVD_IN_SORBS_MISC,
> RCVD_IN_SORBS_WEB,RCVD_IN_XBL,RCVD_NUMERIC_HELO,URIBL_AB_SURBL,
> URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL
> autolearn=unavailable version=3.0.2
>
>
>
> From spamc, i got this:
> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
> xxx.xxx.net
> X-Spam-Level: ****************
> X-Spam-Status: Yes, score=16.2 required=5.0 tests=AWL,BAYES_99,
>
> HTML_IMAGE_ONLY_16,HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,
> MPART_ALT_DIFF,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
> RCVD_HELO_IP_MISMATCH,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO
> autolearn=no
> version=3.0.2
>
> (with an associated log of spamd of:
> Apr 17 18:46:37 neuromancer spamd[26073]: got connection over
> /var/run/spamd.sock
> Apr 17 18:46:37 neuromancer spamd[26073]: info: setuid to mbarr succeeded
> Apr 17 18:46:37 neuromancer spamd[26073]: processing message
> <62...@web73005.mail.yahoo.com> for mbarr:501.
> Apr 17 18:46:38 neuromancer spamd[26073]: identified spam (16.2/5.0)
> for mbarr:501 in 1.0 seconds, 2472 bytes.
> Apr 17 18:46:38 neuromancer spamd[26073]: result: Y 16 -
> AWL,BAYES_99,HTML_IMAGE_ONLY_16,HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ON
> LY_MULTI,MPART_ALT_DIFF,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_HELO_IP
> _MISMATCH,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO
> scantime=1.0,size=2472,mid=<62044692010937.23693.qmail@web73005.mail.yah
> oo.com>,bayes=1,autolearn=no
>
> )
>
>
> So, i'd say that something is happening that's not supposed to be. I'm
> running the network tests, as I'm twigging the razor2 rules. It must
> be something else...
>
> Anyone have any thoughts?
>
> Matthew
>
>
>
>
> Matthew Barr
> Managing Partner
> Datalyte Consulting, LLC
> Apple Authorized Reseller
> mailto:mbarr@datalyte.com
> cell: (646) 765-6878
>
--
--------------------------------------------
-- Kelly Corbin
-- Network Administrator
--
-- http://www.theiqgroup.com
--
-- The IQ Group, Inc.
-- 6740 Antioch Suite 260
-- Merriam, KS 66204
-- (913)-722-6700 x105
-- Fax (913)722-7264
--------------------------------------------