You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Joey <Jo...@Web56.Net> on 2007/10/31 23:27:57 UTC
Confirm configuration settings
Hello All,
After my post Help figuring our why SA is taking like 1.5 minutes to filter
I decided to kind of clean up my configuration and also get rid of
RulesDeJour.
I now have configured sa-update with the following:
Cron updates daily with the following:
/usr/bin/sa-update --channelfile /ibin/sare-sa-update-channels.txt --nogpg ;
/sbin/service spamassassin restart
(having issues with the gpg so I am using nogpg for now)
sare-sa-update-channels.txt Content:
----------------------------------------------------------------------------
------
updates.spamassassin.org
70_sare_adult.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net
70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
70_sare_unsub.cf.sare.sa-update.dostech.net
70_sare_evilnum0.cf.sare.sa-update.dostech.net
70_sare_uri0.cf.sare.sa-update.dostech.net
70_sare_evilnum1.cf.sare.sa-update.dostech.net
70_sare_uri1.cf.sare.sa-update.dostech.net
70_sare_evilnum2.cf.sare.sa-update.dostech.net
70_sare_uri3.cf.sare.sa-update.dostech.net
70_sare_genlsubj0.cf.sare.sa-update.dostech.net
70_sare_whitelist_rcvd.cf.sare.sa-update.dostech.net
70_sare_genlsubj1.cf.sare.sa-update.dostech.net
70_sare_whitelist_spf.cf.sare.sa-update.dostech.net
70_sare_genlsubj2.cf.sare.sa-update.dostech.net
70_sare_genlsubj3.cf.sare.sa-update.dostech.net
72_sare_bml_post25x.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
70_sare_header1.cf.sare.sa-update.dostech.net
70_sare_header2.cf.sare.sa-update.dostech.net
70_sare_header3.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_html1.cf.sare.sa-update.dostech.net
70_sare_html2.cf.sare.sa-update.dostech.net
70_sare_html3.cf.sare.sa-update.dostech.net
70_sare_obfu.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net
spam_numbers.cf.sare.sa-update.dostech.net
I noticed these updates go to /var/lib/spamassassin/X.XXX, my first
question is does this folder automatically get used by SA when it's looking
for rules, so there is no config I have to do?
Second if I were to update to a specific folder lets say /myfolder I know I
can pass the parameter on the sa-update of -updatedir /myfolder, however do
I then have to specify in the local.cf anything to insure we are using that
folder for rules?
For reference if I have a backup folder within the rules folder called
backup, will SA look at any of the rules I copied there without having a cf
file telling it to include any files in that folder?
In other words does it automatically use any cf files it finds within any
subfolder of the main rules folder?
Now my other question is about cleaning up old/outdated junk in my
/etc/mail/spamassassin folder.
Currently remaining I have the following:
-rw-r--r-- 1 root root 22K Nov 16 2005 backhair.cf
-rw-r--r-- 1 root root 108K Dec 15 2005 bogus-virus-warnings.cf
-rw-r--r-- 1 root root 23K Aug 9 2005 chickenpox.cf
-rw-r--r-- 1 root root 23K Jun 24 2005 chickenpox.cf.1
-rw-r--r-- 1 root root 5.7K May 17 2005 german.cf
-rw-r--r-- 1 root root 3.1K Oct 31 14:04 iis_whitelist.cf
-rw-r--r-- 1 root root 1.5K Feb 27 2006 iis_whitelist.cfy
-rw-r--r-- 1 root root 948 Jun 14 16:19 init.pre
-rw-r--r-- 1 root root 2.3K Jun 22 20:57 local.cf
-rw-r--r-- 1 root root 1.9K Jan 9 2005 mime_validate.cf
lrwxrwxrwx 1 root root 23 Dec 20 2005 NOTES -> /var/spool/filter/NOTES
-rw-r--r-- 1 root root 4.8K May 25 2004 random.cf
drwx------ 2 root root 4.0K Oct 31 02:50 sa-update-keys
-rwxr-xr-x 1 root root 235 Feb 15 2006 sa_update.sh
-rw-r--r-- 1 root root 62 Jun 14 16:19 spamassassin-default.rc
-rwxr-xr-x 1 root root 35 Jun 14 16:19 spamassassin-helper.sh
-rw-r--r-- 1 root root 55 Jun 14 16:19 spamassassin-spamc.rc
-rw-r--r-- 1 root root 18K Jan 9 2005 spam_numbers.cf
-rw-r--r-- 1 root root 182 Oct 31 03:14 spamtest
-rw-r--r-- 1 root root 55K Jun 1 2005 tripwire.cf
-rw-r--r-- 1 root root 816K Apr 24 2004 uce_domains.cftest
-rw-r--r-- 1 root root 2.2K Jun 22 20:59 v310.pre
-rw-r--r-- 1 root root 806 Jun 14 16:19 v312.pre
-rw-r--r-- 1 root root 2.1K May 8 08:57 v320.pre
1. Is there a way for me to have sa-update update the .cf files here?
2. Should I get rid of any of these rules ( tripwire etc)?
3. Are there any other rules that do well that I should add?
Anything that can be suggested to improve my configuration is GREATLY
appreciated!
My local.cf contains:
required_score 4.0
# Change the subject of suspected spam
#Jack rewrite_header subject *****SPAM*****
rewrite_header Subject <<- SPAM Tagged->>
# Encapsulate spam in an attachment (0=no, 1=yes, 2=safe)
report_safe 1
# Enable the Bayes system
use_bayes 1
# Enable Bayes auto-learning
bayes_auto_learn 1
# Enable or disable network checks
skip_rbl_checks 1
use_razor2 1
use_dcc 1
use_pyzor 1
# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
#ok_languages all
# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_locales all
#
........................................................................
clear_report_template
report THIS IS SPAM MESSAGE-----
report
report Content preview: _PREVIEW_
report
report Content analysis details: (_SCORE_ points, _REQD_ required)
report
report " pts rule name description"
report ---- ----------------------
--------------------------------------------------
report _SUMMARY_
#
........................................................................
# -----< Scores
>---------------------------------------------------------------------
score URIBL_SBL 7
score URIBL_SC_SURBL 7
score URIBL_WS_SURBL 7
score URIBL_PH_SURBL 7
score URIBL_OB_SURBL 7
score URIBL_AB_SURBL 7
score URIBL_JP_SURBL 7
----------------------------------------------------------------------------
----------------------------------------------------------------------------
------------------- end of local.cf -------------------
RE: Confirm configuration settings
Posted by Joey <Jo...@Web56.Net>.
> -----Original Message-----
> From: Daryl C. W. O'Shea [mailto:spamassassin@dostech.ca]
> Sent: Monday, November 05, 2007 11:22 PM
> To: Joey
> Cc: users@spamassassin.apache.org
> Subject: Re: Confirm configuration settings
>
> Joey wrote:
>
> >> A lot of the SARE rules support sa-update, as can be found here.
> >>
> >> http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
> >
> > I have seen this page before, but I wasn't able to see what cf's are
> available there, is there another link that you are aware of?
> > I have scanned through a lot of that.
>
> Rather than scan, read it all. :) It's literally less than a page.
> Where to find the ruleset filenames is linked to in the third of the
> four steps.
>
> Daryl
Maybe I'm confused here, but I have my updates working well with the sare updates, however
I was trying to see if there are other rules that sa-update works with.
Thanks!
Re: Confirm configuration settings
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Joey wrote:
>> A lot of the SARE rules support sa-update, as can be found here.
>>
>> http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
>
> I have seen this page before, but I wasn't able to see what cf's are available there, is there another link that you are aware of?
> I have scanned through a lot of that.
Rather than scan, read it all. :) It's literally less than a page.
Where to find the ruleset filenames is linked to in the third of the
four steps.
Daryl
RE: Confirm configuration settings
Posted by Joey <Jo...@Web56.Net>.
> -----Original Message-----
> From: Matt Kettler [mailto:mkettler_sa@verizon.net]
> Sent: Thursday, November 01, 2007 8:38 AM
> To: Joey
> Cc: users@spamassassin.apache.org
> Subject: Re: Confirm configuration settings
>
> >
> > After my post Help figuring our why SA is taking like 1.5 minutes to
> > filter I decided to kind of clean up my configuration and also get
> rid
> > of RulesDeJour.
> >
> Hmm interesting..
>
> Question, what tools do you use to call SA? Do you know for sure what
> user SA runs as while scanning mail?
>
> If so, try running a sa-learn --force-expire as that user.
On one of my Dual P3 1GHZ servers I received the following after running the above:
sa-learn --force-expire
bayes: synced databases from journal in 2 seconds: 1325 unique entries (1861 total entries)
On another Dual P4 2.4GHZ I got this:
bayes: synced databases from journal in 0 seconds: 1511 unique entries (2186 total entries)
expired old bayes database entries in 49 seconds
137607 entries kept, 27993 deleted
token frequency: 1-occurrence tokens: 56.77%
token frequency: less than 8 occurrences: 24.52%
>
> > 1. Is there a way for me to have sa-update update the .cf files
> > here?
> >
> Some of them can be sa-updated. It's really up to the particular
> ruleset
> maintainer to set up the DNS features needed. (sa-update doesn't just
> fetch a web page like RDJ does. To save bandwidth it uses DNS to find
> out what the latest update rev is before it goes to HTTP)
>
> A lot of the SARE rules support sa-update, as can be found here.
>
> http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
> >
I have seen this page before, but I wasn't able to see what cf's are available there, is there another link that you are aware of?
I have scanned through a lot of that.
Thanks for your help!
Joey
Re: Confirm configuration settings
Posted by Matt Kettler <mk...@verizon.net>.
Joey wrote:
>
> Hello All,
>
>
>
> After my post Help figuring our why SA is taking like 1.5 minutes to
> filter I decided to kind of clean up my configuration and also get rid
> of RulesDeJour.
>
Hmm interesting..
Question, what tools do you use to call SA? Do you know for sure what
user SA runs as while scanning mail?
If so, try running a sa-learn --force-expire as that user.
> I noticed these updates go to /var/lib/spamassassin/X.XXX, my first
> question is does this folder automatically get used by SA when it’s
> looking for rules, so there is no config I have to do?
>
Yes, it automatically gets used. If you run spamassassin --lint -D it
will show you, among other things, what paths and files SA is using.
>
>
>
> Second if I were to update to a specific folder lets say /myfolder I
> know I can pass the parameter on the sa-update of –updatedir
> /myfolder, however do I then have to specify in the local.cf anything
> to insure we are using that folder for rules?
>
AFAIK, there's no option to over-ride the LOCAL_STATE_DIR, which is what
this directory is, other than at compile time.
>
>
> For reference if I have a backup folder within the rules folder called
> backup, will SA look at any of the rules I copied there without having
> a cf file telling it to include any files in that folder?
>
> In other words does it automatically use any cf files it finds within
> any subfolder of the main rules folder?
>
No.
>
> 1. Is there a way for me to have sa-update update the .cf files
> here?
>
Some of them can be sa-updated. It's really up to the particular ruleset
maintainer to set up the DNS features needed. (sa-update doesn't just
fetch a web page like RDJ does. To save bandwidth it uses DNS to find
out what the latest update rev is before it goes to HTTP)
A lot of the SARE rules support sa-update, as can be found here.
http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
>
> 2. Should I get rid of any of these rules ( tripwire etc)?
>
None of them look to be "bad" rules to have. The ones to avoid include
sa-blacklist* (kills your server), bigevil (kills your server),
antidrug.cf (redundant/outdated compared to rules built-in to SA)
>
> 3. Are there any other rules that do well that I should add?
>
I like the SARE spec ruleset, but I'd not go adding more stuff till you
fix your performance problems..
http://www.rulesemporium.com/rules/70_sare_specific.cf
>
>
>
> Anything that can be suggested to improve my configuration is GREATLY
> appreciated!
>
Everything else looks good, although you might be a bit over-trusting of
the URIBLS by placing them all at 7. Provided you don't mind a rare FP,
that should be fine, but if you are FP averse, I'd avoid that. I get
about 1 desirable email every 2 months that gets hit by one of them, and
about 2 newsletters that I intentionally subscribe to, but don't care
too much about, that hit one or more URIBL.. I request delisting, and
they generally do, but eventually some other domain gets picked up.. YMMV.
(and note: I get a *LOT* of email, so those frequencies still boil down
to a very low FP rate)