You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by John Fleming <jo...@wa9als.com> on 2005/01/21 14:30:20 UTC
Another missed spam question
Since upgrading v2.64 to 3.0.2, I have a much higher false negative rate. I
posted one a couple of days ago that involved a "trusted" issue. I just got
a medication-spam this morning that ONLY triggered bayes_99, although it
mentioned sexual health, anxiety and others I would've thought would've
triggered more rules.
Is a lot of reconfiguration usually necessary when upgrading 2.64 to 3.0? I
thought I understood that 3.0 incorporated several of the rulesets that were
previously separate, and besides, I haven't removed any old rulesets yet
anyway.
Any comments? Tnx!
Re: network tests
Posted by Loren Wilton <lw...@earthlink.net>.
> how much RAM is recommended for a box that does nothing besides
> Spamassassin?
It depends on your mail load. But in general, you can't have too much.
Loren
Re: network tests
Posted by "Frank M. Cook" <fc...@acsplus.com>.
> Most people that have seen a slowdown in 3.x seem to be due to thrashing
> due
> to larger memory usage.
how much RAM is recommended for a box that does nothing besides
Spamassassin?
Frank M. Cook
Association Computer Services, Inc.
http://www.acsplus.com
Re: network tests
Posted by Loren Wilton <lw...@earthlink.net>.
> the reason I suspected the net tests was because the problem happened
after
> we upgraded from version 2. we were keeping up before. I was thinking it
> was the net tests because I wasn't doing them in 2. I wasn't aware of
other
> changes from 2 to 3 that could be the cause. now if two used fewer
> children, that could indeed be a smoking gun.
Most people that have seen a slowdown in 3.x seem to be due to thrashing due
to larger memory usage. This was especially bad on 3.0 and 3.0.1. Going to
3.0.2, cutting down the number of children, and cutting down the number of
messages each child processes before restarting are the general solutions.
That said, some people have seen problems with slow net tests. But that
seems to always turn out to be a local problem that isn't specifically SA
once it is analyzed.
Loren
Re: network tests
Posted by "Frank M. Cook" <fc...@acsplus.com>.
> I would try to figure out why your net tests are so slow. Or maybe first
> figure out (if you haven't already) whether it is really the net tests
> that
> are slowing you down. Maybe you are thrashing, and more memory, or
> running
> fewer spamd children, or having them expire after fewer connections would
> be
> the real cure here.
that all makes sense. you've given me three good suggestions to try next
week.
the reason I suspected the net tests was because the problem happened after
we upgraded from version 2. we were keeping up before. I was thinking it
was the net tests because I wasn't doing them in 2. I wasn't aware of other
changes from 2 to 3 that could be the cause. now if two used fewer
children, that could indeed be a smoking gun.
Frank M. Cook
Association Computer Services, Inc.
http://www.acsplus.com
Re: network tests
Posted by jdow <jd...@earthlink.net>.
From: "Loren Wilton" <lw...@earthlink.net>
> 4) Maybe a local dns cache
>
> > I only have 500 mailboxes so I can't be processing anything like the
100k
> of
> > messages a day that your faq says would require local dns.
>
> Keeping network tests is a real good idea. Currently SURBL seems to be
one
> of the best ones to keep, but others can help too.
>
> I would try to figure out why your net tests are so slow. Or maybe first
> figure out (if you haven't already) whether it is really the net tests
that
> are slowing you down. Maybe you are thrashing, and more memory, or
running
> fewer spamd children, or having them expire after fewer connections would
be
> the real cure here.
Heh, 500 mailboxes like mine might almost get there and then some. I
get anywhere from 700 to 1500 emails a day lately on three mailboxes.
(Two are VERY lightly used.)
Additional ram can make a big difference, too. This is particularly
true when you manage to put the machine into swapping. He might need
to drop the number of concurrent spamd.
{^_^}
Re: network tests
Posted by Loren Wilton <lw...@earthlink.net>.
> you're tied in with this plan. what would you recommend? I'm seeing
> messages take 30 to 45 seconds to process. that's way too long. should I
> 1) use -L
I wouldn't recommend it, but you can run without net tests. You have to
spend more time on making sure you have good rules though.
> 2) turn some rules off so that I'm checking fewer RBL's? (I've had
good
> luck with spamhaus.)
Maybe, but I wouldn't expect that the number of net tests per se should be
affecting parsing speed. The net tests run in parallel with the other
tests, and then there is a final timeout if the tests haven't arrived by
then.
> 3) get a faster computer
Don't know how fast your machine is, but if the load average is reasonable I
don't immediately see that faster would help. If you are swamped, then some
new hardware would sure help. But more often than not for SA this would be
more memory rather than a faster processor.
4) Maybe a local dns cache
> I only have 500 mailboxes so I can't be processing anything like the 100k
of
> messages a day that your faq says would require local dns.
Keeping network tests is a real good idea. Currently SURBL seems to be one
of the best ones to keep, but others can help too.
I would try to figure out why your net tests are so slow. Or maybe first
figure out (if you haven't already) whether it is really the net tests that
are slowing you down. Maybe you are thrashing, and more memory, or running
fewer spamd children, or having them expire after fewer connections would be
the real cure here.
Loren
Re: network tests
Posted by Jeff Chan <je...@surbl.org>.
On Friday, January 21, 2005, 8:44:18 PM, Frank Cook wrote:
>> Depends how you're starting SpamAssassin. Various flags are
>> described at:
>>
>> http://www.surbl.org/faq.html#nettest
> thanks. that faq helps. I take it from your email address, Jeff, that
> you're tied in with this plan. what would you recommend? I'm seeing
> messages take 30 to 45 seconds to process. that's way too long. should I
30 to 45 seconds is definitely too long, and atypical.
If you do a manual local name resolution on the server like:
dig 2.0.0.127.sbl.spamhaus.org a
how long does it take? If more than a few milliseconds
then your DNS configuration may be broken.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: network tests
Posted by "Frank M. Cook" <fc...@acsplus.com>.
> Depends how you're starting SpamAssassin. Various flags are
> described at:
>
> http://www.surbl.org/faq.html#nettest
thanks. that faq helps. I take it from your email address, Jeff, that
you're tied in with this plan. what would you recommend? I'm seeing
messages take 30 to 45 seconds to process. that's way too long. should I
1) use -L
2) turn some rules off so that I'm checking fewer RBL's? (I've had good
luck with spamhaus.)
3) get a faster computer
I only have 500 mailboxes so I can't be processing anything like the 100k of
messages a day that your faq says would require local dns.
Frank M. Cook
Association Computer Services, Inc.
http://www.acsplus.com
Re: network tests
Posted by Jeff Chan <je...@surbl.org>.
On Friday, January 21, 2005, 7:35:09 AM, Frank Cook wrote:
> <Do you use network tests?>
> how is this controlled in version 3? We had the network tests turned off in
> version 2 but after upgrading to version 3 it is taking 45 seconds to
> process each message and the reports show network testing is being done even
> though our local.cf says they are turned off.
Depends how you're starting SpamAssassin. Various flags are
described at:
http://www.surbl.org/faq.html#nettest
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: network tests
Posted by Thomas Arend <ml...@arend-whv.info>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am Freitag, 21. Januar 2005 16:35 schrieb Frank M. Cook:
> <Do you use network tests?>
>
> how is this controlled in version 3? We had the network tests turned off
> in version 2 but after upgrading to version 3 it is taking 45 seconds to
> process each message and the reports show network testing is being done
> even though our local.cf says they are turned off.
For spamd or spamassassin it's turned off with the parameter "-L".
(see man spamd / spamassassin)
Thomas
icq:133073900
http://www.t-arend.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFB8Ty9He2ZLU3NgHsRAjlAAJ9j/09tv8PIbkM8Ocu5tU/Klh3PeACfU4nO
5wQstkDDC2klR+eJ76xqPzY=
=iAKP
-----END PGP SIGNATURE-----
network tests
Posted by "Frank M. Cook" <fc...@acsplus.com>.
<Do you use network tests?>
how is this controlled in version 3? We had the network tests turned off in
version 2 but after upgrading to version 3 it is taking 45 seconds to
process each message and the reports show network testing is being done even
though our local.cf says they are turned off.
Frank M. Cook
Association Computer Services, Inc.
http://www.acsplus.com
Re: Another missed spam question
Posted by Thomas Arend <ml...@arend-whv.info>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am Freitag, 21. Januar 2005 14:30 schrieb John Fleming:
> Since upgrading v2.64 to 3.0.2, I have a much higher false negative rate.
> I posted one a couple of days ago that involved a "trusted" issue. I just
> got a medication-spam this morning that ONLY triggered bayes_99, although
> it mentioned sexual health, anxiety and others I would've thought would've
> triggered more rules.
Another case for my magic eye. Maybe I will find it some day.
Some times they come trough. Spamer react on filters.
Do you use network tests? Spamer changed the servers frequently.
>
> Is a lot of reconfiguration usually necessary when upgrading 2.64 to 3.0?
> I thought I understood that 3.0 incorporated several of the rulesets that
> were previously separate, and besides, I haven't removed any old rulesets
> yet anyway.
I have upgraded three server fom 2.63 to 3.0.x. Normaly there are only small
changes in the configuration for now unsupported options.
The ammount of reconfiguration depneds on your installation.
>
> Any comments? Tnx!
Keep your body informed. Garbage in - garbage out.
Thomas
- --
icq:133073900
http://www.t-arend.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFB8RCFHe2ZLU3NgHsRAp4IAJ9Ssms7Cj357sCmsrDDCOL9Ac93DgCdFapR
VKhrq4CNSbQIFCc13e9PVFU=
=JnPW
-----END PGP SIGNATURE-----
Re: Another missed spam question
Posted by Loren Wilton <lw...@earthlink.net>.
> Is a lot of reconfiguration usually necessary when upgrading 2.64 to 3.0?
I
> thought I understood that 3.0 incorporated several of the rulesets that
were
> previously separate, and besides, I haven't removed any old rulesets yet
> anyway.
Some is necessary. Shouldn't be a huge amount.
You need to muck with the assorted local.cf options that have changed name
and/or shape.
If you have a NATed host, you need to set up trusted networks. (You should
have had it before, but it is important now.)
You need to make sure that all of the spare Perl parts are the appropriate
versions.
And if you are running SARE rules, you will need to fiddle around a little
bit and make sure that you have a rule collection that is appropriate for
3.0+.
Of course you should run lint to make sure things are really working, and
probably also run spamassassin -D to make sure that all of your rule files
are getting picked up.
Loren