You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Luis Daniel Lucio Quiroz <lu...@gmail.com> on 2009/01/02 20:48:13 UTC
Test order
Hi Spams,
Afer finally do clamav scanning with sa-plugin I wonder to know when
this test is done. I mean, if is it the first or last?
Is there any way to force to be the last?
My hearders are these:
Return-Path: <dl...@okay.com.mx>
X-Original-To: dlucio@okay.com.mx
Delivered-To: dlucio@okay.com.mx
Received: from soekris.okay.com.mx (soekris [192.168.203.18])
by fernanda.okay.com.mx (Postfix) with ESMTP id 96E0A5FDC
for <dl...@okay.com.mx>; Fri, 2 Jan 2009 12:17:50 -0600 (CST)
Received: by soekris.okay.com.mx (Postfix, from userid 8)
id 472CD730B; Fri, 2 Jan 2009 12:26:46 -0600 (CST)
X-Spam-Virus: No
X-Spam-ImageCerberus-OUT: 0.0 (No images found)
X-Spam-ASN:
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on soekris.okay.com.mx
X-Spam-Level: ***********
X-Spam-Status: Yes, score=11.5 required=3.0 tests=BAYES_99,FH_HELO_EQ_D_D_D_D,
HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,HTML_IMAGE_ONLY_16,HTML_MESSAGE,
HTML_SHORT_LINK_IMG_2,L_P0F_W,MIME_HTML_ONLY,RDNS_DYNAMIC,SAGREY autolearn=no
version=3.2.5
X-Spam-Pyzor: Reported 0 times.
X-Spam-Report:
* 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 1.4 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
* 0.0 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
* 2.4 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
* 1)
* 0.1 L_P0F_W Relayed through Windows OS except Windows XP
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 1.5 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words
* 0.1 RDNS_DYNAMIC Delivered to trusted network by host with
* dynamic-looking rDNS
* 0.0 HTML_SHORT_LINK_IMG_2 HTML is very short with a linked image
* 1.0 SAGREY Adds 1.0 to spam from first-time senders
Received: from cpe-76-92-248-31.kc.res.rr.com (cpe-76-92-248-31.kc.res.rr.com
[76.92.248.31])
by soekris.okay.com.mx (Postfix) with ESMTP id 702BB4003
for <dl...@okay.com.mx>; Fri, 2 Jan 2009 12:26:15 -0600 (CST)
Happy NY
LD
Re: Test order
Posted by John Hardin <jh...@impsec.org>.
On Fri, 2 Jan 2009, Luis Daniel Lucio Quiroz wrote:
> You mean
>
> as a milter for example?
A clamav-only milter, yes, assuming your SA milter can be told to file or
discard the message and thus bypass AV scanning.
> On Friday 02 January 2009 19:30:05 John Hardin wrote:
>> On Fri, 2 Jan 2009, Luis Daniel Lucio Quiroz wrote:
>>> it is for short-circuit. Because likehood of being SPAM is higher than
>>> a Mail with virii, and because virii test needs more power, Id like to
>>> send to back virii test.
>>
>> You might have more success incorporating clamav through some other way
>> than as a SA plugin, then. Running it as a separate filter *after* SA,
>> assuming that the glue lets you file/discard the message based on the SA
>> score before running it through clamav...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #12: Have a plan.
USMC Rules of Gunfighting #13: Have a back-up plan, because the
first one won't work.
-----------------------------------------------------------------------
14 days until Benjamin Franklin's 303rd Birthday
Re: Test order
Posted by Luis Daniel Lucio Quiroz <lu...@gmail.com>.
You mean
as a milter for example?
On Friday 02 January 2009 19:30:05 John Hardin wrote:
> On Fri, 2 Jan 2009, Luis Daniel Lucio Quiroz wrote:
> > it is for short-circuit. Because likehood of being SPAM is higher than
> > a Mail with virii, and because virii test needs more power, Id like to
> > send to back virii test.
>
> You might have more success incorporating clamav through some other way
> than as a SA plugin, then. Running it as a separate filter *after* SA,
> assuming that the glue lets you file/discard the message based on the SA
> score before running it through clamav...
Re: Test order
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2009-01-02 at 18:58 -0600, Luis Daniel Lucio Quiroz wrote:
> [...] and because virii test needs more power, Id like to send to back
> virii test.
Wrong. ClamAV takes less time and CPU per message than SA.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Test order
Posted by Matt Kettler <mk...@verizon.net>.
Luis Daniel Lucio Quiroz wrote:
> You are right
>
>
> it is for short-circuit. Because likehood of being SPAM is higher than
> a Mail with virii, and because virii test needs more power, Id like to
> send to back virii test.
Fair enough. Just be careful with shortcircuit if you're doing it based
on scores that aren't really large. Shortcircuit stops the scan, and can
cause a message to miss negative scoring rules that might bring it back
down if they would otherwise run later in the scan.
>
> What is the line to change priority?
priority RULE_NAME 12345
>From man Mail::SpamAssassin::Conf:
priority SYMBOLIC_TEST_NAME n
Assign a specific priority to a test. All tests, except for DNS and
Meta tests, are run in increasing priority value order (negative
priority values are run before positive priority values). The default
test priority is 0 (zero).
The values <-99999999999999> and <-99999999999998> have a special
meaning internally, and should not be used.
>
Re: Test order
Posted by John Hardin <jh...@impsec.org>.
On Fri, 2 Jan 2009, Luis Daniel Lucio Quiroz wrote:
> it is for short-circuit. Because likehood of being SPAM is higher than
> a Mail with virii, and because virii test needs more power, Id like to
> send to back virii test.
You might have more success incorporating clamav through some other way
than as a SA plugin, then. Running it as a separate filter *after* SA,
assuming that the glue lets you file/discard the message based on the SA
score before running it through clamav...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...people who insist that religion is required for morality remind
me of hoplophobes who insist that I be disarmed because _they're_
unsafe with a gun. -- MarkHB at munchkinwrangler's
-----------------------------------------------------------------------
15 days until Benjamin Franklin's 303rd Birthday
Re: Test order
Posted by Luis Daniel Lucio Quiroz <lu...@gmail.com>.
You are right
it is for short-circuit. Because likehood of being SPAM is higher than a Mail
with virii, and because virii test needs more power, Id like to send to back
virii test.
What is the line to change priority?
TIA
LD
On Friday 02 January 2009 17:06:50 Matt Kettler wrote:
> Luis Daniel Lucio Quiroz wrote:
> > Hi Spams,
> >
> >
> > Afer finally do clamav scanning with sa-plugin I wonder to know when
> > this test is done. I mean, if is it the first or last?
>
> By default, the .cf file in
> http://wiki.apache.org/spamassassin/ClamAVPlugin has no priority
> declared, so it's going to run "in the middle" with most of the rules.
>
> > Is there any way to force to be the last?
>
> change the priority of the rule in your config file.
>
> However, might I ask what the benefit would be of forcing it to be last?
>
> Unless you're using the shortcircuit plugin, and have some rules
> configured to short circuit the scan, there's no real point in doing
> this last. SA doesn't abort scanning unless it hits a shortcircuit rule.
Re: Test order
Posted by Matt Kettler <mk...@verizon.net>.
Luis Daniel Lucio Quiroz wrote:
> Hi Spams,
>
>
> Afer finally do clamav scanning with sa-plugin I wonder to know when
> this test is done. I mean, if is it the first or last?
By default, the .cf file in
http://wiki.apache.org/spamassassin/ClamAVPlugin has no priority
declared, so it's going to run "in the middle" with most of the rules.
>
> Is there any way to force to be the last?
change the priority of the rule in your config file.
However, might I ask what the benefit would be of forcing it to be last?
Unless you're using the shortcircuit plugin, and have some rules
configured to short circuit the scan, there's no real point in doing
this last. SA doesn't abort scanning unless it hits a shortcircuit rule.