You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jake Colman <co...@ppllc.com> on 2005/04/12 20:53:27 UTC
SpamAssassin Suddenly Not Catching Spam
I upgraded from SA 2.x to 3.x a few weeks ago. I also installed the Rules Du
Jour script for maintaining SARE files. After doing all this the amount of
spam caught by SA increased dramatically. All was well.
A few days ago I suddenly started having spam get through just like the bad
days prior to my upgrade. Is there some way for me to figure out why SA is
not doing its thing for me?
--
Jake Colman
Sr. Applications Developer
Principia Partners LLC
Harborside Financial Center
1001 Plaza Two
Jersey City, NJ 07311
(201) 209-2467
www.principiapartners.com
Re: SpamAssassin Suddenly Not Catching Spam
Posted by Loren Wilton <lw...@earthlink.net>.
> A few days ago I suddenly started having spam get through just like the
bad
> days prior to my upgrade. Is there some way for me to figure out why SA
is
> not doing its thing for me?
Always ask: what changed?
Probably the rules because you are using RDJ, in this case.
HOW OFTEN are you calling RDJ? SARE has a block if you call more often than
once a day or so. The result (with some versions of RDJ) is that you can
get rules files that are reject notices. These don't work very well as
rules.
Try running 'spamassassin --lint' and see what it has to say.
Also check the cron job that fires off RDJ and make sure it runs no more
than once a day.
Loren
Re: SpamAssassin Suddenly Not Catching Spam
Posted by Jake Colman <co...@ppllc.com>.
>>>>> "MK" == Matt Kettler <mk...@evi-inc.com> writes:
MK> Yes, that's exactly what he wants you to look at. You can match up all
MK> those tests names with scores by greping in 50_scores.cf. Since you have
MK> bayes and network checks in use, it will be using the last score in each
MK> line.
MK> For example
MK> $grep RAZOR2_CHECK 50_scores.cf
MK> score RAZOR2_CHECK 0 0.150 0 1.511
MK> This tells you that of the 4.7 total points. 1.511 came from this test.
MK> You also are using some SARE rules, those won't show up in 50_scores.cf,
MK> they'll be in /etc/mail/spamassassin/*.cf, but the same tactic applies.
MK> I can tell you from experience that none of the above rules have a
MK> significant negative score. (SPF_HELO_PASS is negative, but it's -0.001
MK> points)
MK> The one thing that sticks out to me is that it hit BAYES_50.. this
MK> suggests that while you have bayes enabled, it's not trained to
MK> recognize this kind of spam.
MK> BAYES_50 specifically means that SA's bayes result is undecided for this
MK> message, and believes there's a 50/50 chance of the email being spam or
MK> nonspam. Had this message scored on the spam side the BAYES_ rankings,
MK> it would have also had a higher total score, and probably have been
MK> tagged as spam.
Thanks, Matt, for the explanation.
Maybe my bayes database (or mechanism) is screwed up. I am not using a mysql
database for bayes and I think I'm using an individual bayes database per
person.
1) How can I verify that it is finding my bayes database? Maybe that's the
problem?
2) How can I share a global bayes database so that all users share the same
database? This is a home network and mail server we all have the same
idea as to what's spam. I want one person (myself) to do the spam
training and have everyone benefit.
By the way, I use spamc/spamd and a global procmailrc to do my filtering.
Thanks!
...Jake
--
Jake Colman
Sr. Applications Developer
Principia Partners LLC
Harborside Financial Center
1001 Plaza Two
Jersey City, NJ 07311
(201) 209-2467
www.principiapartners.com
Re: SpamAssassin Suddenly Not Catching Spam
Posted by Matt Kettler <mk...@evi-inc.com>.
Jake Colman wrote:
>Forgive my ignorance...
>
>I assume that "negatively-scored" means that it is less likely to be spam,
>correct?
>
>Here is an example of a message that should have been flagged:
>
>X-Spam-Status: No, score=4.7 required=5.0 tests=BAYES_50,HTML_10_20,
>HTML_MESSAGE,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
>SARE_RECV_IP_218071,SPF_HELO_PASS,TW_GK,URIBL_SBL autolearn=no version=3.0.2
>
>How do I read this and what do I do with this? I assume this is what you
>were asking me to look at, right?
>
>
>
Yes, that's exactly what he wants you to look at. You can match up all
those tests names with scores by greping in 50_scores.cf. Since you have
bayes and network checks in use, it will be using the last score in each
line.
For example
$grep RAZOR2_CHECK 50_scores.cf
score RAZOR2_CHECK 0 0.150 0 1.511
This tells you that of the 4.7 total points. 1.511 came from this test.
You also are using some SARE rules, those won't show up in 50_scores.cf,
they'll be in /etc/mail/spamassassin/*.cf, but the same tactic applies.
I can tell you from experience that none of the above rules have a
significant negative score. (SPF_HELO_PASS is negative, but it's -0.001
points)
The one thing that sticks out to me is that it hit BAYES_50.. this
suggests that while you have bayes enabled, it's not trained to
recognize this kind of spam.
BAYES_50 specifically means that SA's bayes result is undecided for this
message, and believes there's a 50/50 chance of the email being spam or
nonspam. Had this message scored on the spam side the BAYES_ rankings,
it would have also had a higher total score, and probably have been
tagged as spam.
Re: SpamAssassin Suddenly Not Catching Spam
Posted by Kevin Peuhkurinen <ke...@meridiancu.ca>.
Loren Wilton wrote:
>1. Why did it get SPF_PASS if it is spam?
>
>
>
Nice analysis, Loren. The only nit-pick I would make is that many
spammers have valid SPF records set up, usually I believe "v=spf1
+all". A quick grep through my last 4000 spams shows 345 with SPF_PASS
hits. That is actually significantly higher than the number of spams
that hit SPF_FAIL. I believe that is why it is scored -0.001.
Re: SpamAssassin Suddenly Not Catching Spam
Posted by Marisabel Rodríguez <mr...@mecon.gov.ar>.
Thanks a lot!
M.
mewolf1@gmx.net wrote:
>In an older episode (Wednesday 13 April 2005 20:47), Marisabel Rodríguez
>wrote:
>
>
>>Hello,
>>how can I do for unsubscribe me?
>>
>>
>
>the headers of each mail that i receive from this list contain the line:
>list-unsubscribe: <ma...@spamassassin.apache.org>
>
>
>
Re: SpamAssassin Suddenly Not Catching Spam
Posted by me...@gmx.net.
In an older episode (Wednesday 13 April 2005 20:47), Marisabel Rodríguez
wrote:
> Hello,
> how can I do for unsubscribe me?
the headers of each mail that i receive from this list contain the line:
list-unsubscribe: <ma...@spamassassin.apache.org>
Re: SpamAssassin Suddenly Not Catching Spam
Posted by Matt Kettler <mk...@evi-inc.com>.
Marisabel Rodríguez wrote:
> Hello,
> how can I do for unsubscribe me?
> I searched in the site but I didn´t find anything.
> Best regards,
> M.
Try reading the message headers for any message on the list:
list-unsubscribe: <ma...@spamassassin.apache.org>
This is the RFC complaint way to advertise how to unsubscribe from a
mailling list, so be on the lookout for this elsewhere. More and more
mailing lists are shifting to this IETF standardized method.
(note: In Thunderbird you'll have to turn on view->headers->all in order
to see that, or use the "view headers toggle button" extension to make
this easy)
Re: SpamAssassin Suddenly Not Catching Spam
Posted by Marisabel Rodríguez <mr...@mecon.gov.ar>.
Hello,
how can I do for unsubscribe me?
I searched in the site but I didn´t find anything.
Best regards,
M.
Vivek Khera wrote:
>
> On Apr 13, 2005, at 2:25 PM, Matt Kettler wrote:
>
>> Besides, it's also easy for spam to get a "real" SPF_PASS. Just export a
>> record for spammerdomain.com which passes everything.
>>
>
> Funny thing is that I *literally* could do that if I wanted to...
>
> But I don't... we don't accept mail for spammerdomain.com nor is it
> used for sending :-) But feel free to use it in as many examples as
> you like. One day we may use it for tarpit and/or spamtraps.
>
> Vivek Khera, Ph.D.
> +1-301-869-4449 x806
>
Re: SpamAssassin Suddenly Not Catching Spam
Posted by Vivek Khera <vi...@khera.org>.
On Apr 13, 2005, at 2:25 PM, Matt Kettler wrote:
> Besides, it's also easy for spam to get a "real" SPF_PASS. Just export
> a
> record for spammerdomain.com which passes everything.
>
Funny thing is that I *literally* could do that if I wanted to...
But I don't... we don't accept mail for spammerdomain.com nor is it
used for sending :-) But feel free to use it in as many examples as
you like. One day we may use it for tarpit and/or spamtraps.
Vivek Khera, Ph.D.
+1-301-869-4449 x806
Re: SpamAssassin Suddenly Not Catching Spam
Posted by Matt Kettler <mk...@evi-inc.com>.
Loren Wilton wrote:
>
>SPF_HELO_PASS,
>
>This might well be a negative scoring rule. Spam usually shouldn't be able
>to get an SPF_PASS rating.
>
Dude... SPF_HELO_PASS is an informational rule ONLY. It's there to act
as a debugging aid to an admin using SPF for the first time. This rule
based on trusting the "helo" string. Of course that's forgeable, but we
all know that. Thats why the rule is hand-set to -0.001. Of course it's
going to match spam, but the score forced to be is insignificant so who
cares.
Besides, it's also easy for spam to get a "real" SPF_PASS. Just export a
record for spammerdomain.com which passes everything.
Ye,s people always come back with an argument that you can check for
pass-all SPF records, but that's shortsighted. It's pretty easy to
obfuscate the fact by splitting the IP ranges up into multiple ranges,
inserting holes, etc. There's millions of possible ways to obfuscate an
open record so there's no point in even trying to prevent this. SPF
isn't designed to prevent this, and it's not intended to.
Keep your eye on the reality of what SPF is and what it is not.
A passing SPF record only means the sender originated mail from a server
that the domain owner has deemed acceptable.
This has nothing to do with being nonspam, as the owner could be a
member of ROKSO. However, at the moment, very few domains publish SPF
records, and they're all spam-conscious people, so for the moment, a
true SPF_PASS is a nonspam sign, but don't expect that to last.
Re: SpamAssassin Suddenly Not Catching Spam
Posted by Kelson <ke...@speed.net>.
Loren Wilton wrote:
> SPF_HELO_PASS,
>
> This might well be a negative scoring rule. Spam usually shouldn't be able
> to get an SPF_PASS rating.
It can easily get one if it's sent *from the spammer's own domain* and
they set up SPF records for it.
Remember, SPF and Domain Keys are *anti-forgery* technologies, not
anti-spam technologies. (Matt Kettler made a couple of good posts on
this subject yesterday in the "I like this one.... Particularly the BS
from Yahoo....." thread.) It's just that detecting forgeries is also
useful in detecting spam -- and figuring out where to complain.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: SpamAssassin Suddenly Not Catching Spam
Posted by Loren Wilton <lw...@earthlink.net>.
> I assume that "negatively-scored" means that it is less likely to be spam,
> correct?
Yes. Specifically it means a rule with a negative score value.
High positive scores (over some threshold value, usually 5.0) indicate spam.
This score is usually an accumulation of smaller score values from various
rules.
Some things can indicate that the mail is NOT spam. In this case a rule to
catch such a thing would add a *negative* score. So if a known-ham message
had a few spammy things about it, the negative score would make it harder to
score (erroneously) as spam.
The most common negative score are bayes scores below 50. Bayes will also
add positive scores above 50.
> Here is an example of a message that should have been flagged:
>
> X-Spam-Status: No, score=4.7 required=5.0 tests=BAYES_50,HTML_10_20,
HTML_MESSAGE,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
> SARE_RECV_IP_218071,SPF_HELO_PASS,TW_GK,URIBL_SBL autolearn=no
version=3.0.2
>
> How do I read this and what do I do with this? I assume this is what you
> were asking me to look at, right?
> X-Spam-Status: No, score=4.7 required=5.0
The mail isn't spam, it only scored 4.7 and needs to be at least 5.0 to be
spam.
NOTE!!! These score values are ROUNDED TO ONE DIGIT. Many people ask "my
mail shows 5.0 hits and 5.0 required, why wasn't it spam?" Because the
score was REALLY 4.999 or some such, which is less than 5.0, but rounds to
5.0 in the display.
>tests=BAYES_50,
Bayes doesn't know if this is ham or spam. You should start training Bayes
to better recognize your mail. Read up on sa-learn. Bayes can help a great
deal when properly trained. In this case it did nothing.
HTML_10_20,
HTML_MESSAGE,
MIME_HTML_ONLY,
Standard rules with very slight positive scores
RAZOR2_CF_RANGE_51_100,
RAZOR2_CHECK,
You are running Razor, so are running net tests successfully. These checks
probably added much of the score for this spam.
> SARE_RECV_IP_218071,
Only ONE SARE rule hit. If this is really spam, this is moderately unusual,
unless you only have one or two of the SARE files set up.
SPF_HELO_PASS,
This might well be a negative scoring rule. Spam usually shouldn't be able
to get an SPF_PASS rating.
TW_GK,
This sounds like a local rule, but maybe its a stock rule I've never seen.
URIBL_SBL
Sender showed up in a block list. This added some positive points.
You can look up all of these rules in the *.cf files and see what their
scores are if you want. Just grep the files for the rule names shown in the
message of interest.
Without seeing the message in question, the only 'strange' things here are:
1. Why did it get SPF_PASS if it is spam?
2. Why did only one SARE rule hit?
3. Why isn't Bayes better trained for this kind of message.
Bayes training you have to do.
Possibly this mail really does only hit one SARE rule. Or possibly the
rules files are corrupt; --lint will tell you.
Can't tell anything about SPF_PASS without the original headers.
Loren
Re: SpamAssassin Suddenly Not Catching Spam
Posted by Jake Colman <co...@ppllc.com>.
Forgive my ignorance...
I assume that "negatively-scored" means that it is less likely to be spam,
correct?
Here is an example of a message that should have been flagged:
X-Spam-Status: No, score=4.7 required=5.0 tests=BAYES_50,HTML_10_20,
HTML_MESSAGE,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
SARE_RECV_IP_218071,SPF_HELO_PASS,TW_GK,URIBL_SBL autolearn=no version=3.0.2
How do I read this and what do I do with this? I assume this is what you
were asking me to look at, right?
...Jake
>>>>> "KP" == Kevin Peuhkurinen <ke...@meridiancu.ca> writes:
KP> You can begin by looking at the headers of false negatives and see
KP> what rules they are hitting. Are they hitting any negatively-scored
KP> rules?
KP> Jake Colman wrote:
>> I upgraded from SA 2.x to 3.x a few weeks ago. I also installed the Rules Du
>> Jour script for maintaining SARE files. After doing all this the amount of
>> spam caught by SA increased dramatically. All was well.
>>
>> A few days ago I suddenly started having spam get through just like the bad
>> days prior to my upgrade. Is there some way for me to figure out why SA is
>> not doing its thing for me?
>>
>>
>>
--
Jake Colman
Sr. Applications Developer
Principia Partners LLC
Harborside Financial Center
1001 Plaza Two
Jersey City, NJ 07311
(201) 209-2467
www.principiapartners.com
Re: SpamAssassin Suddenly Not Catching Spam
Posted by Kevin Peuhkurinen <ke...@meridiancu.ca>.
You can begin by looking at the headers of false negatives and see what
rules they are hitting. Are they hitting any negatively-scored rules?
Jake Colman wrote:
>I upgraded from SA 2.x to 3.x a few weeks ago. I also installed the Rules Du
>Jour script for maintaining SARE files. After doing all this the amount of
>spam caught by SA increased dramatically. All was well.
>
>A few days ago I suddenly started having spam get through just like the bad
>days prior to my upgrade. Is there some way for me to figure out why SA is
>not doing its thing for me?
>
>
>