You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Timothy Burt <sa...@timburt.com> on 2006/05/03 20:25:00 UTC
Amavisd - SA misses The Bat spams sometimes
I am running amavisd-new 2.3.3 & spamd 3.1.0 on a couple of servers with
postfix running as the MTA.
I have setup some user defined rules in the
~homedir/.spamassassin/user_prefs file and most of the time, I can see the
results of running these tests in the headers.
One of the rules I have is:
header T_SUBJ_MYBAT X-Mailer =~ /The Bat/i
describe T_SUBJ_MYBAT Mailer - The Bat
score T_SUBJ_MYBAT 2.9
My problem is that I am seeing spam in my INBOX, that has a header line
that matches the rule, but the rule does not appear to be evaluated, and
the spam is passed as ham.
But the rule does catch some of the spam, because when I added it, the
number of "Bat" spams dropped significantly. The problem is that some
spam with the Bat header is still being delivered.
Is there something that would cause the rules in user_prefs to be skipped
for some emails?
I have tried several permutations of the perl pattern, with and without
the exclamation point. Same deal.
Here is the header from one of the skipped emails.
Can anyone point me in the right direction?
------------------
>From cturner@altacocina.com Wed May 3 06:35:26 2006
Return-Path: <ct...@altacocina.com>
Delivered-To: janet@bob.aa-servers.com
Received: from localhost (bob.aa-servers.com [127.0.0.1])
by bob.aa-servers.com (Postfix) with ESMTP id 24AC24D42CE
for <ja...@bob.aa-servers.com>; Wed, 3 May 2006 06:35:26 -0700
(PDT)
Received: from bob.aa-servers.com ([127.0.0.1])
by localhost (bob.aa-servers.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 22853-02 for <ja...@bob.aa-servers.com>;
Wed, 3 May 2006 06:35:19 -0700 (PDT)
Received: from -1211686752 (unknown [213.47.180.133])
by bob.aa-servers.com (Postfix) with SMTP id 9D7844D4302
for <ab...@indylewisphoto.com>; Wed, 3 May 2006 06:35:09
-0700 (PDT)
Received: from altacocina.com (-1211278472 [-1211783448])
by chello213047180133.tirol.surfer.at (Qmailv1) with ESMTP id
8558BB9B04
for <ab...@indylewisphoto.com>; Wed, 03 May 2006 06:34:58
-0400
Date: Wed, 03 May 2006 06:34:58 -0400
From: "Rococo H. Alerter" <ct...@altacocina.com>
X-Mailer: The Bat! (v2.00.2) Personal
X-Priority: 3
Message-ID: <90...@altacocina.com>
To: Abxoefsu <ab...@indylewisphoto.com>
Subject: replica watches
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------56AB7490F761137"
X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.10; AVE:
6.20.0.1; VDF: 6.20.0.46; host: chello213047180133.tirol.surfer.at)
X-Virus-Scanned: amavisd-new at aa-servers.com
X-Spam-Status: No, score=0.258 tagged_above=-100.5 required=2.4
tests=[HTML_FONT_BIG=0.256, HTML_MESSAGE=0.001, UNPARSEABLE_RELAY=0.001]
X-Spam-Score: 0.258
X-Spam-Level:
Status: RO
X-Status:
X-Keywords:
X-UID: 982
--------------------
Timothy Burt
Los Angeles, Calif. USA
Re: Amavisd - SA misses The Bat spams sometimes
Posted by Timothy Burt <sa...@timburt.com>.
Thanks for your reply. Please see my answers inline below:
--------------------
Timothy Burt
Los Angeles, Calif. USA
On Wed, 3 May 2006, Matt Kettler wrote:
> Loren Wilton wrote:
>> I believe Amvis uses its own headers rather than the SA headers for spam
>> mails, and doesn't bother showing details on non-spam messages.
>>
>> So in all probability you rule is hitting, but it is only 2.9, and your spam
>> threshold is probably around 5. So if some other things don't hit too it
>> won't be spam, and Amvis may not show you that any rules hit.
>>
>> Loren
>>
>
> Loren, he's got his configured to always add headers with SA hit lists.
>
> -------------------------
> X-Spam-Status: No, score=0.258 tagged_above=-100.5 required=2.4
> tests=[HTML_FONT_BIG=0.256, HTML_MESSAGE=0.001, UNPARSEABLE_RELAY=0.001]
> -------------------------
>
>
>> I have setup some user defined rules in the ~homedir/.spamassassin/user_prefs file and most of the time, I can see the results of running these tests in the headers.
>
>
> Timothy:
>
> 0) Be sure to read my previous message about the nature of The Bat. It is not a
> spam tool. Temper your score accordingly.
Your point is well taken. It would be helpful to continue on with this
example, as "The Bat" is not the issue I am facing, but the skipping of
the rules. Thanks for your advice.
>
> 1) Are you sure you have the right homedir? You realize that the correct home
> dir is not the recipient of the message, but the homedir of the amavis user, right?
Yes, I have a test rule, that fires on my personal email address, in the
user_prefs file. I see this rule evaled, whenever an email addressed to
my personal address is received and passed. So I got the right
user_prefs. But good of you to ask..
I do not know if I have ever seen an email, addressed to me (that would
fire the test rule) that fails to fire the "Bat" rule. In other words, I
do not have proof positive that the user_prefs are being eval'd when the
"Bat" rule is missed. It may be that user_prefs is skipped entirely, it
probably is.
>
> 2) Since your rules are declared in user_prefs, have you declared
> allow_user_rules in your local.cf?
Curious that the answer to this is no. I saw this in the docs, after I
had the user_prefs confirmed as working.. I will try adding it anyway.
>
> 3) Why are you declaring rules in user_prefs anyway, instead of a .cf file in
> /etc/mail/spamassassin?
Probably because there was an easy example for the user_prefs file, and
when I tried the example, it worked as advertised. Do you think this
would make a difference?
>
> 4) Have you restarted amavis since adding the rules?
Always...
>
> 5) Have you run spamassassin --lint to check for errors?
>
Yes, and it said I was missing an SSL module, which I promptly installed.
Now it comes back clean.
-----------------
Thanks again for your help... I am pretty experienced with UNIX/Linux,
but I am not an SA guru. Amavisd-new gets a little confusing because it
ignores some SA features, and sets some runtime params thru the
amavisd.conf file instead of SA conf files. I just don't know enough
about it yet.
Re: Amavisd - SA misses The Bat spams sometimes
Posted by Matt Kettler <mk...@evi-inc.com>.
Loren Wilton wrote:
> I believe Amvis uses its own headers rather than the SA headers for spam
> mails, and doesn't bother showing details on non-spam messages.
>
> So in all probability you rule is hitting, but it is only 2.9, and your spam
> threshold is probably around 5. So if some other things don't hit too it
> won't be spam, and Amvis may not show you that any rules hit.
>
> Loren
>
Loren, he's got his configured to always add headers with SA hit lists.
-------------------------
X-Spam-Status: No, score=0.258 tagged_above=-100.5 required=2.4
tests=[HTML_FONT_BIG=0.256, HTML_MESSAGE=0.001, UNPARSEABLE_RELAY=0.001]
-------------------------
> I have setup some user defined rules in the ~homedir/.spamassassin/user_prefs file and most of the time, I can see the results of running these tests in the headers.
Timothy:
0) Be sure to read my previous message about the nature of The Bat. It is not a
spam tool. Temper your score accordingly.
1) Are you sure you have the right homedir? You realize that the correct home
dir is not the recipient of the message, but the homedir of the amavis user, right?
2) Since your rules are declared in user_prefs, have you declared
allow_user_rules in your local.cf?
3) Why are you declaring rules in user_prefs anyway, instead of a .cf file in
/etc/mail/spamassassin?
4) Have you restarted amavis since adding the rules?
5) Have you run spamassassin --lint to check for errors?
Re: Amavisd - SA misses The Bat spams sometimes
Posted by Loren Wilton <lw...@earthlink.net>.
I believe Amvis uses its own headers rather than the SA headers for spam
mails, and doesn't bother showing details on non-spam messages.
So in all probability you rule is hitting, but it is only 2.9, and your spam
threshold is probably around 5. So if some other things don't hit too it
won't be spam, and Amvis may not show you that any rules hit.
Loren
Re: Amavisd - SA misses The Bat spams sometimes
Posted by Matt Kettler <mk...@evi-inc.com>.
Timothy Burt wrote:
>
> I am running amavisd-new 2.3.3 & spamd 3.1.0 on a couple of servers with
> postfix running as the MTA.
Note: AFAIK Amavisd-new doesn't use spamd... It calls Mail::SpamAssassin directly.
>
> I have setup some user defined rules in the
> ~homedir/.spamassassin/user_prefs file and most of the time, I can see
> the results of running these tests in the headers.
>
> One of the rules I have is:
>
> header T_SUBJ_MYBAT X-Mailer =~ /The Bat/i
> describe T_SUBJ_MYBAT Mailer - The Bat
> score T_SUBJ_MYBAT 2.9
You do realize that The Bat is not a spam tool, it is a legitimate mail client.
Right?
It is used by several residents of this list, including Jeff Chan (head of
surbl.org) and Robert Menschel (Active SpamAssassin Developer).