sa-learn ham and auto_whitelist

[FH <fh...@usa.net>]

I have a script that goes through and looks for ham mailboxes every 6
hours[1], I also recently added the below to my local.cf file:

use_auto_whitelist 1
auto_whitelist_path /etc/mail/spamassassin/auto-whitelist

and primed the auto-whitelist w/ 

spamassassin --add-addr-to-whitelist=<problem email> [according to the ORA
book]

and restarted spamd.  This was about a week ago but the user is still
reporting the emails from this address are consistantly coming through marked
as spam.

Some more relavent info:
- I'm running SA 3.0.2 w/ Postfix and for the most part it seems to be working
ok.  Since I've added the scripts that look for ham/spam automatically every 6
hours the hit rate has significantly improved.

- The emails that are marked as spam are in a foreign language (Korean in case
that's significant somehow), however there are other emails in that language
that come through ok.

- I know I could add a "whitelist_from" to local.cf but I was hoping for a
more ellegant solution ;)

- I don't allow user defined rules.


Questions:
- Does everything I did look right?  Are there other tricks/tips that I
missed?

- Is it just a matter of giving it enough time?  Looking at the spam scores of
the emails, they are still coming in all over the place.  There haven't been
that many since the auto_whitelist went into place but we've been working
through sa-learn for a couple of months now and nothing seems to be changing.

Thanks


[1] Cronjob that runs 
find /local/home -name ham -type f ! \( -size 0 \) -ls -exec hamproc {} \;

hamproc contains
/usr/local/bin/sa-learn --ham --showdots --mbox $1 

Re: SA 3.1 X-headers prepended instead of appended

[ka...@ourldsfamily.com]

On Thu, October 20, 2005 10:35 am, Justin Mason said:
> karlp@ourldsfamily.com writes:
>> On Thu, October 20, 2005 8:52 am, qqqq said:
>> > I finally took the leap to SA 3.1 but am confused as to why the SA
>> > X-Headers are prepended to the message and not
>> > appeneded like the previous versions.  This is causing havoc on my
>> > Blackberry.  Is this normal?
>> I believe this is causing havoc with my email. I'm getting ALL_TRUSTED
>> email that is clearly NOT from within my trusted network. Yes, I have
>> manually set trusted_networks.
>> My thought is that since the X- headers are put right after the
>> Return-Path: header, which is the first line of the header, that SA
>> isn't checking the rest of the header. At least that's why it looks
>> like as the rest of the Received: headers are from untrusted hosts.
>
> no, it doesn't work like that.
>
> you could try opening a bug and attaching a "before" and "after" copies,
> where "after" is the results of spamassassin -t.

With that in mind, I just had the thought that I've 'broken' the
trusted_networks line. Currently I have:

trusted_networks        172.20.20/24 10/8 127/8 198.60.114.90
where:
172.20.20.     is my firewall subnet
10.            is the internal subnet
127.           localhost (duh)
198.60.114.90  is my public IP  <=- this is where I think I may be
breaking the thing. Should that IP be 'trusted' or will that cause
spoofing problems to get by SA? Also, is the format correct?

Your help is greatly appreciated.

Karl

Re: SA 3.1 X-headers prepended instead of appended

[ka...@ourldsfamily.com]

On Thu, October 20, 2005 8:52 am, qqqq said:
> All,
>
> I finally took the leap to SA 3.1 but am confused as to why the SA
> X-Headers are prepended to the message and not
> appeneded like the previous versions.  This is causing havoc on my
> Blackberry.  Is this normal?

I believe this is causing havoc with my email. I'm getting ALL_TRUSTED
email that is clearly NOT from within my trusted network. Yes, I have
manually set trusted_networks.

My thought is that since the X- headers are put right after the
Return-Path: header, which is the first line of the header, that SA isn't
checking the rest of the header. At least that's why it looks like as the
rest of the Received: headers are from untrusted hosts.

So, any information will be greatly appreciated as I manage 2 different
email servers.

Thanks

>
> TIA,
>
> QQQQ
>


-- 
karl
     _/  _/      _/      _/_/_/       ____________   __o
    _/ _/       _/      _/    _/     ____________  _-\<._
   _/_/        _/      _/_/_/                     (_)/ (_)
  _/ _/       _/      _/           ......................
 _/   _/ arl _/_/_/  _/ earson    KarlP@ourldsfamily.com
---
Senior Consulting Sys/DB Analyst
http://consulting.ourldsfamily.com
---
 My Thoughts on Terrorism In America:
 http://www.ourldsfamily.com/wtc.shtml
---
 A right is not what someone gives you; it's what no one can take from you.
 -Ramsey Clark
---

SA 3.1 X-headers prepended instead of appended

[qqqq <qq...@usermail.com>]

All,

I finally took the leap to SA 3.1 but am confused as to why the SA X-Headers are prepended to the message and not
appeneded like the previous versions.  This is causing havoc on my Blackberry.  Is this normal?

TIA,

QQQQ

Re: sa-learn ham and auto_whitelist

[Matt Kettler <mk...@evi-inc.com>]

FH wrote:
> I have a script that goes through and looks for ham mailboxes every 6
> hours[1], I also recently added the below to my local.cf file:
> 
> use_auto_whitelist 1
> auto_whitelist_path /etc/mail/spamassassin/auto-whitelist
> 
> and primed the auto-whitelist w/ 
> 
> spamassassin --add-addr-to-whitelist=<problem email> [according to the ORA
> book]
>

The ORA book apparently was mistaken. IMHO, this should *only* ever be used to
correct accidental contamination of the AWL database.

It should never be used as a mechanism to try to whitelist a sender, as it's
affects decay as additional messages are received and you'll have to keep
re-running it to achieve the same results.

> and restarted spamd.  This was about a week ago but the user is still
> reporting the emails from this address are consistantly coming through marked
> as spam.
> 
> Some more relavent info:
> - I'm running SA 3.0.2 w/ Postfix and for the most part it seems to be working
> ok.  Since I've added the scripts that look for ham/spam automatically every 6
> hours the hit rate has significantly improved.
> 
> - The emails that are marked as spam are in a foreign language (Korean in case
> that's significant somehow), however there are other emails in that language
> that come through ok.
> 
> - I know I could add a "whitelist_from" to local.cf but I was hoping for a
> more ellegant solution ;)

That is an infinitely more elegant than using spamassassin
--add-addr-to-whitelist. Better would be to use whitelist_from_rcvd


> 
> - I don't allow user defined rules.
> 
> 
> Questions:
> - Does everything I did look right?  Are there other tricks/tips that I
> missed?

Really, you shouldn't be looking at the scores. You should be looking at what
rules the messages are hitting. Only this can tell you the "why" of the matter.
Everything else is just looking at the results.