logs and probably-spam almost-certainly-spam directories

[Tony Lay <to...@gmail.com>]

Hey Gang,

I am trying to establish system wide spam filtering, but only a few
users need it right now.  So I have the flexibility to go either way. 
I think that's where my problem stems…I might have some clutter from
trying things out that is causing this not to work…or I got my wires
crossed on invoking.

SpamAssassin 3.0.1
FreeBSD 5.3.1

The filter appears to be working but I'm concerned that mails are
getting bounced as opposed to being filtered to my user's spam boxes. 
So before we get into more detail shouldn't a users .procmailrc work
above and beyond the basic system setup?

Here's some info on the setup:

Spamassassin directory and permissions
/etc/mail/spamassassin
-rw-rw-r--  1 root  spam   935 Jan 21 11:17 init.pre
-rw-rw-r--  1 root  spam   234 Jan 26 12:33 razor-agent.log
drwxrwsr-x  2 root  spam   512 Jan 26 12:34 .razor
-rw-rw-r--  1 root  spam  1360 Jan 26 12:38 local.cf

razor-client and razor-admin run as root
/etc/mail/.razor
-rw-rw-r--  1 root  spam   429 Jan 26 12:33 server.joy.cloudmark.com.conf
-rw-rw-r--  1 root  spam    38 Jan 26 12:33 servers.nomination.lst
-rw-rw-r--  1 root  spam    14 Jan 26 12:33 servers.discovery.lst
-rw-rw-r--  1 root  spam    83 Jan 26 12:33 servers.catalogue.lst
-rw-rw-r--  1 root  spam   664 Jan 26 12:34 razor-agent.log
-rw--w----  1 root  spam    90 Jan 26 12:34 identity-ru6o_L61rv
lrwxr-xr-x  1 root  wheel   19 Jan 26 12:34 identity -> identity-ru6o_L61rv
-rw-rw-r--  1 root  spam   779 Jan 26 12:39 razor-agent.conf

spamd is running (will eventually be spamc)
phoenix# ps -awx | grep spam
 8611  ??  Is     0:00.44 /usr/local/bin/spamd -c -d -r
/var/run/spamd.pid (perl)
 8616  ??  I      0:00.00 spamd child (perl)
 8617  ??  I      0:00.00 spamd child (perl)
 8618  ??  I      0:00.00 spamd child (perl)
 8619  ??  I      0:00.00 spamd child (perl)
 8620  ??  I      0:00.00 spamd child (perl)

users who are being filtered have the following:

###########
#.procmailrc#
###########

DROPPRIVS=yes

* < 256000
| spamassassin

:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
almost-certainly-spam

:0:
* ^X-Spam-Status: Yes
probably-spam

:0
* ^^rom[ ]
{
  LOG="*** Dropped F off From_ header! Fixing up. "

  :0 fhw
  | sed -e '1s/^/F/'
}

###########
#  .forward   #
###########

"|IFS=' ' && exec /usr/local/bin/procmail -f- || exit 75 #username"

Again, mail appears to be filtered for the user.  I see headers
showing messages are being checked.  I see autolearning isn't working
but I'll cross that bridge when I get to it.

X-Spam-Checker-Version:  SpamAssassin 3.0.1 (2004-10-22) on SomeAddress
X-Spam-Level:
X-Spam-Status:  No, score=0.0 required=5.0 tests=RCVD_BY_IP
autolearn=failed version=3.0.1

The client is IMP (horde) and I already have everything set up in
there for reporting.
$conf['spam']['reporting'] = true;
$conf['spam']['program'] = '/usr/local/bin/spamassassin -x -C
/etc/mail/spamassassin -r';
$conf['notspam']['reporting'] = true;
$conf['notspam']['program'] = '/usr/local/bin/spamassassin -C
/etc/mail/spamassassin -k';

I don't see anything relevant in
/var/log/maillog
/var/log/messages

and I've looked in and around the user and system .spamassassin and
.razor directories and don't see any logging.  I wouldn't be freaking
out but one guy gets 200 spams a day and it's down to a dull roar and
I need to know where they are going so that we can verify that we
aren't getting false positives.

In summary I'd like to know where to dig and would appreciate any
advice on a basic setup for a few users.  If anybody has time to
assist I can divulge more details as needed.

Regards,

-Tony

Re: logs and probably-spam almost-certainly-spam directories

[Thomas Arend <ml...@arend-whv.info>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am Mittwoch, 26. Januar 2005 19:20 schrieb Tony Lay:
> Hey Gang,
>
> I am trying to establish system wide spam filtering, but only a few
> users need it right now.  So I have the flexibility to go either way.
> I think that's where my problem stems…I might have some clutter from
> trying things out that is causing this not to work…or I got my wires
> crossed on invoking.
>
> SpamAssassin 3.0.1
> FreeBSD 5.3.1
>
[..]

> users who are being filtered have the following:
>
> ###########
> #.procmailrc#
> ###########
>
> DROPPRIVS=yes
>
# Check if procmailrc is working correct include

LOGFILE=$HOME/.procmail.log
VERBOSE=ON

# You should include 

:0 fw: spamassassin.lock
* < 256000
> | spamassassin

BTW: Using spamc with spamd is faster than spamassassin

> :0:
> * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
> almost-certainly-spam
>
> :0:
>
> * ^X-Spam-Status: Yes
> probably-spam
>
> :0
>
> * ^^rom[ ]
> {
>   LOG="*** Dropped F off From_ header! Fixing up. "
>
>   :0 fhw
>   :
>   | sed -e '1s/^/F/'
>
> }
>

[..]

Cheers 

Thomas

> Regards,
>
> -Tony

- -- 
icq:133073900
http://www.t-arend.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFB/M1AHe2ZLU3NgHsRAtbjAJoDQdgFFMbtUUvncHBQLeWFlyiTMgCfUPPI
4yb8hKqPr+TUFDflTbhmy3M=
=FrN2
-----END PGP SIGNATURE-----

Re: logs and probably-spam almost-certainly-spam directories

[Matt Kettler <mk...@evi-inc.com>]

At 01:20 PM 1/26/2005, Tony Lay wrote:
>I am trying to establish system wide spam filtering, but only a few
>users need it right now.  So I have the flexibility to go either way.
>I think that's where my problem stems…I might have some clutter from
>trying things out that is causing this not to work…or I got my wires
>crossed on invoking.
>
>SpamAssassin 3.0.1
>FreeBSD 5.3.1
>
>The filter appears to be working but I'm concerned that mails are
>getting bounced as opposed to being filtered to my user's spam boxes.
>So before we get into more detail shouldn't a users .procmailrc work
>above and beyond the basic system setup?

If you're calling from procmail, bouncing is not happening. It's too late 
in the game for that.

 From looking at the procmail.cf you have, all the high-scoring spam 
messages are being redirected from your user's mailbox into a separate 
mailbox called "almost-certainly-spam". All tagged spam is being redirected 
to "probably-spam".

Check /var/spool/mail, or wherever your system normally spools delivered mail.