You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Mathias Homann <ad...@eregion.de> on 2007/02/23 09:56:29 UTC
spam mails bypassing spamassassin?
Hi,
I'm running the following mail chain:
fetchmail -> postfix -> clamsmtpd -> postfix -> spamassassin 3.1.7 (as
local_transport via the spamdeliver python script that came with the
spamassassin sources) -> cyrus imapd (where spam gets sorted out based on its
score).
now, since a few days, i keep getting the same spam mail several times a day,
which has _no_ spamassassin headers at all, as if it has found a way _around_
my spamassassin.
Anyone got any ideas?
...where can i put the mail for general inspection? I guess if I attached it
to a mail to this list, it would get filtered, right?
bye,
MH
Re: spam mails bypassing spamassassin?
Posted by Mathias Homann <ad...@eregion.de>.
Am Freitag, 23. Februar 2007 10:37:51 schrieb David Goldsmith:
>
> Check your mail log for error messages like this one:
>
> spamd[12960]: prefork: server reached --max-children setting, consider
> raising it
>
> We've been running spamd with '-m8' (max children spawned) for quite
> sometime and all of a sudden yesterday, we started getting similar
> behavior where email was coming through without SA headers.
>
> I'm guessing that some of the network checks we are doing are taking
> longer thus tying up the spawned spamd child processes longer. I bumped
> our -m arg from 8 to 12 (still got the error) and then to 24 -- that
> seems to have helped.
>
> David Goldsmith
nothing like that in my mail log.
in fact, i dont even see a line reading "spamd: processing message $MSGID" for
the offending mails in my mail log...
the last bits in my mail log about the message id of the offending message is
when its comes out of clamsmtpd, and gets passed to "spamcheck" which is my
local transport through spamd and then into imap. but no spamd lines about
that mail.
bye,
MH
Re: spam mails bypassing spamassassin?
Posted by David Goldsmith <dg...@sans.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Goldsmith wrote:
> Check your mail log for error messages like this one:
>
> spamd[12960]: prefork: server reached --max-children setting, consider
> raising it
>
> We've been running spamd with '-m8' (max children spawned) for quite
> sometime and all of a sudden yesterday, we started getting similar
> behavior where email was coming through without SA headers.
>
> I'm guessing that some of the network checks we are doing are taking
> longer thus tying up the spawned spamd child processes longer. I bumped
> our -m arg from 8 to 12 (still got the error) and then to 24 -- that
> seems to have helped.
Ok, I've dug into this some more because we've suddenly been having a
lot of problems with this.
Searching for references to that error message, I came across this old
post -- http://www.nabble.com/Spamd-child-states--t2223988.html
I grepped through our maillog for 'child states' and saw this:
Feb 23 15:04:44 iceman14 spamd[12960]: prefork: child states:
BBBBBBBBBBBBBBBBBBBBBBBB
Feb 23 15:04:47 iceman14 spamd[12960]: prefork: child states:
BBBBBBBBBBBBBBBBBBBBBBBB
Feb 23 15:04:53 iceman14 spamd[12960]: prefork: child states:
BBBBBBBBBBBBBBBBBBBBBBBB
Feb 23 15:05:07 iceman14 spamd[12960]: prefork: child states:
BBBBBBBBBBBBBBBBBBBBBBBB
Feb 23 15:05:22 iceman14 spamd[12960]: prefork: child states:
BBBBBBBBBBBBBBBBBBBBBBBB
Feb 23 15:05:28 iceman14 spamd[12960]: prefork: child states:
BBBBBBBBBBBBBBBBBBBBBBBB
Feb 23 15:05:35 iceman14 spamd[12960]: prefork: child states:
BBBBBBBBBBBBBBBBBBBBBBBB
Feb 23 15:05:44 iceman14 spamd[12960]: prefork: child states:
BBBBBBBBBBBBBBBBBBBBBBBB
Feb 23 15:05:49 iceman14 spamd[12960]: prefork: child states:
BBBBBBBBBBBBBBBBBBBBBBBB
Feb 23 15:05:59 iceman14 spamd[12960]: prefork: child states:
BBBBBBBBBBBBBBBBBBBBBBBB
Feb 23 15:06:02 iceman14 spamd[12960]: prefork: child states:
BBBBBBBBBBBBBBBBBBBBBBBB
Feb 23 15:06:03 iceman14 spamd[12960]: prefork: child states:
BBBBBBBBBBBBBBBBBBBBBBBB
Doesn't look good. I went looking for other errors in the log and saw
timeout errors involving ixhash:
spamd[29382]: ixhash timeout reached at /etc/mail/spamassassin/iXhash.pm
line 91.
Is anyone experiencing problems connecting to the iXHash servers?
I removed the iXhash.cf and iXhash.pm files from /etc/mail/spamassassin
and restarted it. Now our child state log entries look like:
Feb 23 15:32:09 iceman14 spamd[29656]: prefork: child states: BI
Feb 23 15:32:10 iceman14 spamd[29656]: prefork: child states: IB
Feb 23 15:32:14 iceman14 spamd[29656]: prefork: child states: II
Feb 23 15:32:23 iceman14 spamd[29656]: prefork: child states: BB
Feb 23 15:32:23 iceman14 spamd[29656]: prefork: child states: BBB
Feb 23 15:32:23 iceman14 spamd[29656]: prefork: child states: BBBB
Feb 23 15:32:23 iceman14 spamd[29656]: prefork: child states: BBBBB
Feb 23 15:32:23 iceman14 spamd[29656]: prefork: child states: BBBBBB
Feb 23 15:32:23 iceman14 spamd[29656]: prefork: child states: BBBBBBB
Feb 23 15:32:23 iceman14 spamd[29656]: prefork: child states: BBBBBBBI
Feb 23 15:32:25 iceman14 spamd[29656]: prefork: child states: IBBBBBBI
Feb 23 15:32:28 iceman14 spamd[29656]: prefork: child states: IBBBBIBI
Feb 23 15:32:28 iceman14 spamd[29656]: prefork: child states: IBBBBIBK
Feb 23 15:32:28 iceman14 spamd[29656]: prefork: child states: IBIBBIB
Feb 23 15:32:28 iceman14 spamd[29656]: prefork: child states: IBIBBB
Feb 23 15:32:28 iceman14 spamd[29656]: prefork: child states: IIIBBB
Feb 23 15:32:28 iceman14 spamd[29656]: prefork: child states: IIBBB
Feb 23 15:32:28 iceman14 spamd[29656]: prefork: child states: IIBIB
Feb 23 15:32:28 iceman14 spamd[29656]: prefork: child states: IIBKB
Feb 23 15:32:29 iceman14 spamd[29656]: prefork: child states: IIBI
Feb 23 15:32:29 iceman14 spamd[29656]: prefork: child states: IIBK
Feb 23 15:32:31 iceman14 spamd[29656]: prefork: child states: III
Feb 23 15:32:31 iceman14 spamd[29656]: prefork: child states: II
Feb 23 15:32:37 iceman14 spamd[29656]: prefork: child states: BI
Feb 23 15:32:38 iceman14 spamd[29656]: prefork: child states: II
Periodic spikes as bursts of messages come through but then the children
spamd processes get cleaned up.
David Goldsmith
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF3w/h417vU8/9QfkRArs3AKC0E9aNpuYVrjOycoRY6lf1U7lzFACeLgfD
YCb+3YEV9iBun2PNgjdVeOA=
=oEu1
-----END PGP SIGNATURE-----
Re: spam mails bypassing spamassassin?
Posted by Robert Nicholson <ro...@gmail.com>.
All of that said why would it still eventually give up then and let
the mail thru without
any attempt to filter?
On Feb 23, 2007, at 3:37 AM, David Goldsmith wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mathias Homann wrote:
>> Hi,
>>
>>
>> I'm running the following mail chain:
>> fetchmail -> postfix -> clamsmtpd -> postfix -> spamassassin 3.1.7
>> (as
>> local_transport via the spamdeliver python script that came with the
>> spamassassin sources) -> cyrus imapd (where spam gets sorted out
>> based on its
>> score).
>>
>> now, since a few days, i keep getting the same spam mail several
>> times a day,
>> which has _no_ spamassassin headers at all, as if it has found a
>> way _around_
>> my spamassassin.
>>
>> Anyone got any ideas?
>>
>> ...where can i put the mail for general inspection? I guess if I
>> attached it
>> to a mail to this list, it would get filtered, right?
>>
>>
>> bye,
>> MH
>>
>
> Check your mail log for error messages like this one:
>
> spamd[12960]: prefork: server reached --max-children setting, consider
> raising it
>
> We've been running spamd with '-m8' (max children spawned) for quite
> sometime and all of a sudden yesterday, we started getting similar
> behavior where email was coming through without SA headers.
>
> I'm guessing that some of the network checks we are doing are taking
> longer thus tying up the spawned spamd child processes longer. I
> bumped
> our -m arg from 8 to 12 (still got the error) and then to 24 -- that
> seems to have helped.
>
> David Goldsmith
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3rc2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFF3rXv417vU8/9QfkRAv1CAJ0b6xAHyEmGj53KH+OZ7Fwxhpx2YACgn15T
> sNKYjCT7rPcJnDTKl3T8gIc=
> =AWyO
> -----END PGP SIGNATURE-----
Re: spam mails bypassing spamassassin?
Posted by David Goldsmith <dg...@sans.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathias Homann wrote:
> Hi,
>
>
> I'm running the following mail chain:
> fetchmail -> postfix -> clamsmtpd -> postfix -> spamassassin 3.1.7 (as
> local_transport via the spamdeliver python script that came with the
> spamassassin sources) -> cyrus imapd (where spam gets sorted out based on its
> score).
>
> now, since a few days, i keep getting the same spam mail several times a day,
> which has _no_ spamassassin headers at all, as if it has found a way _around_
> my spamassassin.
>
> Anyone got any ideas?
>
> ...where can i put the mail for general inspection? I guess if I attached it
> to a mail to this list, it would get filtered, right?
>
>
> bye,
> MH
>
Check your mail log for error messages like this one:
spamd[12960]: prefork: server reached --max-children setting, consider
raising it
We've been running spamd with '-m8' (max children spawned) for quite
sometime and all of a sudden yesterday, we started getting similar
behavior where email was coming through without SA headers.
I'm guessing that some of the network checks we are doing are taking
longer thus tying up the spawned spamd child processes longer. I bumped
our -m arg from 8 to 12 (still got the error) and then to 24 -- that
seems to have helped.
David Goldsmith
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF3rXv417vU8/9QfkRAv1CAJ0b6xAHyEmGj53KH+OZ7Fwxhpx2YACgn15T
sNKYjCT7rPcJnDTKl3T8gIc=
=AWyO
-----END PGP SIGNATURE-----
RE: spam mails bypassing spamassassin?
Posted by Philip Seccombe <ph...@turnstone.co.nz>.
I take it your saving your email on the same server that does the spam filtering?
Only other thing I could think of if this is not the case is email being sent directly to your mail server via secondry mx records or something.
I run a server which filters mail for clients which is what made me think of it, not sure if this is going to affect you though?
Cheers
Phil
-----Original Message-----
From: Mathias Homann [mailto:admin@eregion.de]
Sent: Fri 2/23/2007 9:56 PM
To: users@spamassassin.apache.org
Subject: spam mails bypassing spamassassin?
Hi,
I'm running the following mail chain:
fetchmail -> postfix -> clamsmtpd -> postfix -> spamassassin 3.1.7 (as
local_transport via the spamdeliver python script that came with the
spamassassin sources) -> cyrus imapd (where spam gets sorted out based on its
score).
now, since a few days, i keep getting the same spam mail several times a day,
which has _no_ spamassassin headers at all, as if it has found a way _around_
my spamassassin.
Anyone got any ideas?
...where can i put the mail for general inspection? I guess if I attached it
to a mail to this list, it would get filtered, right?
bye,
MH
Re: spam mails bypassing spamassassin?
Posted by Matthias Leisi <ma...@leisi.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mathias Homann wrote:
> Is that size limit configureable?
| Usage: spamc [options] [-e command [args]] < message
|
| Options:
| [..]
| -s size Specify maximum message size, in bytes.
| [default: 250k]
- -- Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFF4HbtxbHw2nyi/okRAqdEAJ97ORVMBfUdTRcm2v/fqR6UCvK8PwCfb1ud
+UzmjAUS0J1hhKVArXtxSCo=
=zRe8
-----END PGP SIGNATURE-----
Re: spam mails bypassing spamassassin?
Posted by Mathias Homann <ad...@eregion.de>.
Am Freitag 23 Februar 2007 schrieb Mathias Homann:
> Am Freitag, 23. Februar 2007 16:12:59 schrieb Matt Kettler:
> > Mathias Homann wrote:
> > > Hi,
> > >
> > >
> > > I'm running the following mail chain:
> > > fetchmail -> postfix -> clamsmtpd -> postfix -> spamassassin 3.1.7 (as
> > > local_transport via the spamdeliver python script that came with the
> > > spamassassin sources) -> cyrus imapd (where spam gets sorted out based
> > > on its score).
> > >
> > > now, since a few days, i keep getting the same spam mail several times
> > > a day, which has _no_ spamassassin headers at all, as if it has found a
> > > way _around_ my spamassassin.
> > >
> > > Anyone got any ideas?
> >
> > How big was the message? I see it had and .xls file attached. Was it
> > over the default 250k limit that spamc will, by default, bypass
> > scanning after?
>
> it actually _was_ that big... close to 400k actually.
>
> So, if a spammer wants to be sure that his crap doesn't get booted, all he
> needs to do is attach enough image spams to go over that 250kbyte limit???
>
>
> somehow I don't like that.
>
> Is that size limit configureable?
or even better: make that two limits, the smaller one tells spamassassin not
to check the body anymore (that could be the 250kb size limit) and the other
one tells SA to skip the whole mail (this limit should be noticeably bigger).
with that it would at least be possible to blacklist huge spams.
bye,
MH
--
Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1
UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede
kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren
Weitergabe an Dritte ist ausdrücklich untersagt!
gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
Re: spam mails bypassing spamassassin?
Posted by Mathias Homann <ad...@eregion.de>.
Am Freitag, 23. Februar 2007 16:12:59 schrieb Matt Kettler:
> Mathias Homann wrote:
> > Hi,
> >
> >
> > I'm running the following mail chain:
> > fetchmail -> postfix -> clamsmtpd -> postfix -> spamassassin 3.1.7 (as
> > local_transport via the spamdeliver python script that came with the
> > spamassassin sources) -> cyrus imapd (where spam gets sorted out based on
> > its score).
> >
> > now, since a few days, i keep getting the same spam mail several times a
> > day, which has _no_ spamassassin headers at all, as if it has found a way
> > _around_ my spamassassin.
> >
> > Anyone got any ideas?
>
> How big was the message? I see it had and .xls file attached. Was it
> over the default 250k limit that spamc will, by default, bypass
> scanning after?
it actually _was_ that big... close to 400k actually.
So, if a spammer wants to be sure that his crap doesn't get booted, all he
needs to do is attach enough image spams to go over that 250kbyte limit???
somehow I don't like that.
Is that size limit configureable?
bye,
MH
Re: spam mails bypassing spamassassin?
Posted by Matt Kettler <mk...@verizon.net>.
Mathias Homann wrote:
> Hi,
>
>
> I'm running the following mail chain:
> fetchmail -> postfix -> clamsmtpd -> postfix -> spamassassin 3.1.7 (as
> local_transport via the spamdeliver python script that came with the
> spamassassin sources) -> cyrus imapd (where spam gets sorted out based on its
> score).
>
> now, since a few days, i keep getting the same spam mail several times a day,
> which has _no_ spamassassin headers at all, as if it has found a way _around_
> my spamassassin.
>
> Anyone got any ideas?
>
How big was the message? I see it had and .xls file attached. Was it
over the default 250k limit that spamc will, by default, bypass
scanning after?
>
Re: spam mails bypassing spamassassin?
Posted by Mathias Homann <ad...@eregion.de>.
Am Freitag, 23. Februar 2007 10:06:06 schrieb Mathias Homann:
> Am Freitag, 23. Februar 2007 09:56:29 schrieb Mathias Homann:
> > now, since a few days, i keep getting the same spam mail several times a
> > day, which has _no_ spamassassin headers at all, as if it has found a way
> > _around_ my spamassassin.
>
> by the way... when i run that offending mail manually through
> spamassassin -D -t, it gets scored just fine (and with its score of over
> 30, sieve on my imap would have gotten rid of it).
>
>
> bye,
> MH
mail sits at http://pastebin.com/887137
bye,
MH
Re: spam mails bypassing spamassassin?
Posted by Mathias Homann <ad...@eregion.de>.
Am Freitag, 23. Februar 2007 09:56:29 schrieb Mathias Homann:
> now, since a few days, i keep getting the same spam mail several times a
> day, which has _no_ spamassassin headers at all, as if it has found a way
> _around_ my spamassassin.
by the way... when i run that offending mail manually through
spamassassin -D -t, it gets scored just fine (and with its score of over 30,
sieve on my imap would have gotten rid of it).
bye,
MH