should I upgrade?

[Sergei Gerasenko <ge...@publicschoolworks.com>]

Hello everybody,

Got a potentially previously answered question. I have spamassassin
3.0.2-3, which is the current release with Debian. I wouldn't like to
deviate from the official package and so I'm wondering if it's
absolutely necessary to upgrade. I diffed the rules, they seem to be the
same. 

That's actually why I'm looking into this. I'll need to update the rules
periodically and sa-update is not in 3.0.2. Is there a repository of the
standard rules somewhere? I couldn't find it no matter how hard I
looked.

I saw on the spamassassin site that 3.0.0 should be upgraded, but does it go
for 3.0.2 as well? Sorry if this has been answered many times.

Thanks!

Re: should I upgrade?

[Jim Knuth <jk...@jkart.de>]

Heute (11.04.2006/02:40 Uhr) schrieb Matt Kettler,

> The whole idea behind SA 0.1 through 3.0.5 was that if you needed new
> rules, you upgraded your SA version. Rule updates were previously very
> slow, due to the expensive mass-check process. New releases of SA code
> came out much faster than new rules, thus there was no point in
> separating the two. (rule updates were typically only made once or twice
> for a given major.minor release of SA. ie: 2.60 and 2.64 had rule
> updates, 2.61-63 did not.)

> With 3.1.1 and higher

higher? what did you mean? 3.1.1 is the latest version, or? You
mean the following version or what? ;)

> , the SA devs are trying out an approach of adding
> on rules and making updates to an already released version. However,
> this is a completely new concept, and thus only supported on the
> completely new version.

-- 
Viele Gruesse, Kind regards,
 Jim Knuth
 jk@jkart.de
 ICQ #277289867
----------
Zufalls-Zitat
----------
Küchenschaben gab es schon, ehe die Dinosaurier auf der 
Erde erschienen.
----------
Der Text hat nichts mit dem Empfaenger der Mail zu tun
----------
Virus free. Checked by NOD32 Version 1.1481 Build 7052  10.04.2006

Re: Trusted Hosts

[Matt Kettler <mk...@comcast.net>]

leonard.gray@srs.gov wrote:
>
> I'm wanting to test SA's SPF implementation here by running a test
> message through a "sandbox" machine that
> is configured like our production environment.
>
> Our domain has an SPF record, and I've made sure that it's reflected
> on our internal network.  I've tested SPF
> as a standalone implementation, and messages coming through that route
> get rejected like they're supposed
> to.
>
> When I try to hand this off to SA, it appears that my test machine and
> the message itself is getting flagged as
> ALL_TRUSTED, and because of that, the SPF plugin doesn't even try to
> validate the IP against the domain.
>
> What do I have to do in order to make this a "non-trusted"
> transaction?  I can't find how "ALL_TRUSTED" is set
> or determined.
It finds out by either guessing, or by you setting it with the
trusted_networks command.

see:
http://wiki.apache.org/spamassassin/TrustPath

Trusted Hosts

[le...@srs.gov]

I'm wanting to test SA's SPF implementation here by running a test message 
through a "sandbox" machine that
is configured like our production environment.

Our domain has an SPF record, and I've made sure that it's reflected on 
our internal network.  I've tested SPF
as a standalone implementation, and messages coming through that route get 
rejected like they're supposed
to.

When I try to hand this off to SA, it appears that my test machine and the 
message itself is getting flagged as
ALL_TRUSTED, and because of that, the SPF plugin doesn't even try to 
validate the IP against the domain.

What do I have to do in order to make this a "non-trusted" transaction?  I 
can't find how "ALL_TRUSTED" is set
or determined.

Thanks!

Re: should I upgrade?

[Loren Wilton <lw...@earthlink.net>]

> I installed SpamAssassin today for the first time and "The Ultimate
> Online Pharmaceutical" (seems like a LOT of people get this one in

If you don't have any SARE rules you should probably grab a handful.  They
help with these little nasties.  www.rulesemporium.com

        Loren

Re: should I upgrade?

[Loren Wilton <lw...@earthlink.net>]

> I tried sa-learn, but don't you need a sizable spam collection for it to
> work? The docs say that you need to collect about a thousand of ham and
> spam messages before the training starts to work. That sounds like a
> pain in the neck. Or am I missing something?

By default you need 200 hams and 200 spams before Bayes will kick in.  You
should continue to feed it for a while with choice morsels, and feed it
anything it gets wrong so that it can correct its ways.  (Also feed it spam
it scores around Bayes_50, which indicates that it doesn't know that it is
spam.)

        Loren

Re: should I upgrade?

[Sergei Gerasenko <ge...@publicschoolworks.com>]

> Consider < 3 months (better: < 1 month) for spam, < 6 months for ham.

Thanks! I thought nobody would reply! I know what to do now. 

Re: should I upgrade?

[Loren Wilton <lw...@earthlink.net>]

> to be pretty recent. Or are they saying that both ham and spam collected
> should be from the same time period. If so, do you know what the maximum
> time discrepancy could be? Should I worry about it at all?

Spam needs to be recent.  Ham should be recent if convenient.  But ham
usually doesn't change as much as spam, so older stuff will usually work.

Consider < 3 months (better: < 1 month) for spam, < 6 months for ham.

        Loren

Re: should I upgrade?

[Sergei Gerasenko <ge...@publicschoolworks.com>]

Hi Richard,

Thank you for a thoughtful reply. I'm ok with collecting spam. The only
thing is that I read in the docs somewhere that this collected spam has
to be pretty recent. Or are they saying that both ham and spam collected
should be from the same time period. If so, do you know what the maximum
time discrepancy could be? Should I worry about it at all?

Thank you!

Sergei

On Tue, Apr 11, 2006 at 09:18:33AM -0400, BMWrider wrote:
> Sergei,
> 
> Collect the SPAM that is getting through now in a folder. From a root  
> account run the following:
> 
> sa-learn --spam /Path to folder containing SPAM
> 
> You can train SA with any number of SPAM messages. The overall  
> accuracy of bayes will improve after
> it has a large corpus, but you can rather quickly stop specific SPAM  
> messages by training manually.
> Manual training is important because you are training with the SPAM  
> hitting your server.
> 
> The whole thing is a cat and mouse game between SA users and  
> spammers. You stop them today
> and they will come up with something new tomorrow. Then you will have  
> to manually train again and
> the cycle continues.
> 
> You can do the reverse if SA tags ham as SPAM. Feed the good email  
> back to SA with
> 
> sa-learn --ham  /Path to folder containing HAM
> 
> Richard
> 
> 
> 
> 
> 
> 
> 
> 
> "The advantage of a bad memory is that one enjoys several times the  
> same good things for the first time."
> ....Friedrich Nietzsche
> 
> 
> On Apr 10, 2006, at 10:00 PM, Sergei wrote:
> 
> >I tried sa-learn, but don't you need a sizable spam collection for  
> >it to
> >work? The docs say that you need to collect about a thousand of ham  
> >and
> >spam messages before the training starts to work. That sounds like a
> >pain in the neck. Or am I missing something?
> >
> >I ran sa-learn on this one message, than ran SA with the -D switch and
> >it said that it was ignoring the Bayes database because there was only
> >one message.
> >
> >How is it working for you? Or did you do the initial training?
> >
> >On Mon, 2006-04-10 at 21:49 -0400, BMWrider wrote:
> >>All,
> >>
> >>When I upgraded to 3.1.1 the Online Pharmaceutical SPAM also came
> >>through. It didn't take much effort to
> >>run sa-learn --spam on a bunch of them to shut them out. The spammers
> >>are trying some new tricks right
> >>now which will get through a fresh upgrade but again manual training
> >>will stop them quickly.
> >>
> >>Richard
> >>
> >>
> >>
> >>"The advantage of a bad memory is that one enjoys several times the
> >>same good things for the first time."
> >>....Friedrich Nietzsche
> >>
> >>
> >>On Apr 10, 2006, at 8:59 PM, Sergei Gerasenko wrote:
> >>
> >>>Thanks for such a quick reply. So upgrading would really be  
> >>>helpful in
> >>>terms of performance if nothing else. Ok, I'll give it a thought.
> >>>Maybe
> >>>I'll find a Debian package with the latest version. Should be
> >>>possible.
> >>>
> >>>I installed SpamAssassin today for the first time and "The Ultimate
> >>>Online Pharmaceutical" (seems like a LOT of people get this one in
> >>>particular) came through undetected. I had to add a manual rule to
> >>>take
> >>>care of it. Could that have happened because I have an older
> >>>version of
> >>>SA? If so, any options besides upgrading?
> >>>
> >>>Thanks!
> >>>
> >>>On Mon, Apr 10, 2006 at 08:40:03PM -0400, Matt Kettler wrote:
> >>>>Sergei Gerasenko wrote:
> >>>>>Hello everybody,
> >>>>>
> >>>>>Got a potentially previously answered question. I have  
> >>>>>spamassassin
> >>>>>3.0.2-3, which is the current release with Debian. I wouldn't
> >>>>>like to
> >>>>>deviate from the official package and so I'm wondering if it's
> >>>>>absolutely necessary to upgrade. I diffed the rules, they seem to
> >>>>>be the
> >>>>>same.
> >>>>>
> >>>>>That's actually why I'm looking into this. I'll need to update
> >>>>>the rules
> >>>>>periodically and sa-update is not in 3.0.2. Is there a repository
> >>>>>of the
> >>>>>standard rules somewhere? I couldn't find it no matter how hard I
> >>>>>looked.
> >>>>There are no standard rule updates that will work with the SA 3.0.x
> >>>>codebase.
> >>>>
> >>>>The whole idea behind SA 0.1 through 3.0.5 was that if you  
> >>>>needed new
> >>>>rules, you upgraded your SA version. Rule updates were previously
> >>>>very
> >>>>slow, due to the expensive mass-check process. New releases of SA
> >>>>code
> >>>>came out much faster than new rules, thus there was no point in
> >>>>separating the two. (rule updates were typically only made once or
> >>>>twice
> >>>>for a given major.minor release of SA. ie: 2.60 and 2.64 had rule
> >>>>updates, 2.61-63 did not.)
> >>>>
> >>>>With 3.1.1 and higher, the SA devs are trying out an approach of
> >>>>adding
> >>>>on rules and making updates to an already released version.  
> >>>>However,
> >>>>this is a completely new concept, and thus only supported on the
> >>>>completely new version.
> >>>>
> >>
> >
> 

Re: should I upgrade?

[Sergei <ge...@publicschoolworks.com>]

I tried sa-learn, but don't you need a sizable spam collection for it to
work? The docs say that you need to collect about a thousand of ham and
spam messages before the training starts to work. That sounds like a
pain in the neck. Or am I missing something?

I ran sa-learn on this one message, than ran SA with the -D switch and
it said that it was ignoring the Bayes database because there was only
one message.

How is it working for you? Or did you do the initial training?

On Mon, 2006-04-10 at 21:49 -0400, BMWrider wrote:
> All,
> 
> When I upgraded to 3.1.1 the Online Pharmaceutical SPAM also came  
> through. It didn't take much effort to
> run sa-learn --spam on a bunch of them to shut them out. The spammers  
> are trying some new tricks right
> now which will get through a fresh upgrade but again manual training  
> will stop them quickly.
> 
> Richard
> 
> 
> 
> "The advantage of a bad memory is that one enjoys several times the  
> same good things for the first time."
> ....Friedrich Nietzsche
> 
> 
> On Apr 10, 2006, at 8:59 PM, Sergei Gerasenko wrote:
> 
> > Thanks for such a quick reply. So upgrading would really be helpful in
> > terms of performance if nothing else. Ok, I'll give it a thought.  
> > Maybe
> > I'll find a Debian package with the latest version. Should be  
> > possible.
> >
> > I installed SpamAssassin today for the first time and "The Ultimate
> > Online Pharmaceutical" (seems like a LOT of people get this one in
> > particular) came through undetected. I had to add a manual rule to  
> > take
> > care of it. Could that have happened because I have an older  
> > version of
> > SA? If so, any options besides upgrading?
> >
> > Thanks!
> >
> > On Mon, Apr 10, 2006 at 08:40:03PM -0400, Matt Kettler wrote:
> >> Sergei Gerasenko wrote:
> >>> Hello everybody,
> >>>
> >>> Got a potentially previously answered question. I have spamassassin
> >>> 3.0.2-3, which is the current release with Debian. I wouldn't  
> >>> like to
> >>> deviate from the official package and so I'm wondering if it's
> >>> absolutely necessary to upgrade. I diffed the rules, they seem to  
> >>> be the
> >>> same.
> >>>
> >>> That's actually why I'm looking into this. I'll need to update  
> >>> the rules
> >>> periodically and sa-update is not in 3.0.2. Is there a repository  
> >>> of the
> >>> standard rules somewhere? I couldn't find it no matter how hard I
> >>> looked.
> >> There are no standard rule updates that will work with the SA 3.0.x
> >> codebase.
> >>
> >> The whole idea behind SA 0.1 through 3.0.5 was that if you needed new
> >> rules, you upgraded your SA version. Rule updates were previously  
> >> very
> >> slow, due to the expensive mass-check process. New releases of SA  
> >> code
> >> came out much faster than new rules, thus there was no point in
> >> separating the two. (rule updates were typically only made once or  
> >> twice
> >> for a given major.minor release of SA. ie: 2.60 and 2.64 had rule
> >> updates, 2.61-63 did not.)
> >>
> >> With 3.1.1 and higher, the SA devs are trying out an approach of  
> >> adding
> >> on rules and making updates to an already released version. However,
> >> this is a completely new concept, and thus only supported on the
> >> completely new version.
> >>
> 

Re: should I upgrade?

[Sergei Gerasenko <ge...@publicschoolworks.com>]

Thanks for such a quick reply. So upgrading would really be helpful in
terms of performance if nothing else. Ok, I'll give it a thought. Maybe
I'll find a Debian package with the latest version. Should be possible.

I installed SpamAssassin today for the first time and "The Ultimate
Online Pharmaceutical" (seems like a LOT of people get this one in
particular) came through undetected. I had to add a manual rule to take
care of it. Could that have happened because I have an older version of
SA? If so, any options besides upgrading?

Thanks!

On Mon, Apr 10, 2006 at 08:40:03PM -0400, Matt Kettler wrote:
> Sergei Gerasenko wrote:
> > Hello everybody,
> >
> > Got a potentially previously answered question. I have spamassassin
> > 3.0.2-3, which is the current release with Debian. I wouldn't like to
> > deviate from the official package and so I'm wondering if it's
> > absolutely necessary to upgrade. I diffed the rules, they seem to be the
> > same. 
> >
> > That's actually why I'm looking into this. I'll need to update the rules
> > periodically and sa-update is not in 3.0.2. Is there a repository of the
> > standard rules somewhere? I couldn't find it no matter how hard I
> > looked.
> There are no standard rule updates that will work with the SA 3.0.x
> codebase.
> 
> The whole idea behind SA 0.1 through 3.0.5 was that if you needed new
> rules, you upgraded your SA version. Rule updates were previously very
> slow, due to the expensive mass-check process. New releases of SA code
> came out much faster than new rules, thus there was no point in
> separating the two. (rule updates were typically only made once or twice
> for a given major.minor release of SA. ie: 2.60 and 2.64 had rule
> updates, 2.61-63 did not.)
> 
> With 3.1.1 and higher, the SA devs are trying out an approach of adding
> on rules and making updates to an already released version. However,
> this is a completely new concept, and thus only supported on the
> completely new version.
> 

Re: should I upgrade?

[Matt Kettler <mk...@comcast.net>]

Sergei Gerasenko wrote:
> Hello everybody,
>
> Got a potentially previously answered question. I have spamassassin
> 3.0.2-3, which is the current release with Debian. I wouldn't like to
> deviate from the official package and so I'm wondering if it's
> absolutely necessary to upgrade. I diffed the rules, they seem to be the
> same. 
>
> That's actually why I'm looking into this. I'll need to update the rules
> periodically and sa-update is not in 3.0.2. Is there a repository of the
> standard rules somewhere? I couldn't find it no matter how hard I
> looked.
There are no standard rule updates that will work with the SA 3.0.x
codebase.

The whole idea behind SA 0.1 through 3.0.5 was that if you needed new
rules, you upgraded your SA version. Rule updates were previously very
slow, due to the expensive mass-check process. New releases of SA code
came out much faster than new rules, thus there was no point in
separating the two. (rule updates were typically only made once or twice
for a given major.minor release of SA. ie: 2.60 and 2.64 had rule
updates, 2.61-63 did not.)

With 3.1.1 and higher, the SA devs are trying out an approach of adding
on rules and making updates to an already released version. However,
this is a completely new concept, and thus only supported on the
completely new version.

Re: should I upgrade?

[Sergei Gerasenko <ge...@publicschoolworks.com>]

> Side-note.. what version of SA did you diff against?

I downloaded Mail-SpamAssassin-current from the ftp. I thought that was
a link to the most current version. I might have been wrong.

> All that said, you might be OK with debian's SA 3.0.2-3. While it's
> important to be fairly current on SA, it's not always critical to be on

Cool.

> I myself despise distro port packages and avoid them for any package
> that I have a solid knowledge of that I want to update readily. I lean

I agree but this has to be super stable even if there's a chance of
slight problems. At home I go for the latest :)

Re: should I upgrade?

[Matt Kettler <mk...@comcast.net>]

Sergei Gerasenko wrote:
> Hello everybody,
>
> Got a potentially previously answered question. I have spamassassin
> 3.0.2-3, which is the current release with Debian. I wouldn't like to
> deviate from the official package and so I'm wondering if it's
> absolutely necessary to upgrade. I diffed the rules, they seem to be the
> same. 
>   
Side-note.. what version of SA did you diff against?

It seems highly improbable that the rules you have are the same as those
in 3.1.1.

Also, even if the literal .cf files are the same, the code implements
some of the rules. ALL_TRUSTED behaves considerably different between
3.0.0-3.0.4 and 3.0.5. Did debian backport the changes in the Received:
parser that cause this change?

All that said, you might be OK with debian's SA 3.0.2-3. While it's
important to be fairly current on SA, it's not always critical to be on
the latest release. You'll loose out on a little accuracy, but if
staying within debian's ports is important to you it might be worth the
trade-off. That's your choice to make.

I myself despise distro port packages and avoid them for any package
that I have a solid knowledge of that I want to update readily. I lean
on distro packages for odds-and-ends utilities that I rarely change
outside of security updates (bash, tar, gzip), but I go official-source
for packages I'm pushing the leading edge of (SA, clamav, snort, etc).
But that's my personal preference, and it's not suited to everyone.