Re: Confirm configuration settings

[Matt Kettler <mk...@verizon.net>]

Joey wrote:
>
> Hello All,
>
>  
>
> After my post Help figuring our why SA is taking like 1.5 minutes to
> filter I decided to kind of clean up my configuration and also get rid
> of RulesDeJour.
>
Hmm interesting..

Question, what tools do you use to call SA? Do you know for sure what
user SA runs as while scanning mail?

If so, try running a sa-learn --force-expire as that user.

> I noticed these updates go to /var/lib/spamassassin/X.XXX,  my first
> question is does this folder automatically get used by SA when it’s
> looking for rules, so there is no config I have to do?
>
Yes, it automatically gets used. If you run spamassassin --lint -D it
will show you, among other things, what paths and files SA is using.
>
>  
>
> Second if I were to update to a specific folder lets say /myfolder I
> know I can pass the parameter on the sa-update of –updatedir
> /myfolder, however do I then have to specify in the local.cf anything
> to insure we are using that folder for rules?
>
AFAIK, there's no option to over-ride the LOCAL_STATE_DIR, which is what
this directory is, other than at compile time.
>
>
> For reference if I have a backup folder within the rules folder called
> backup, will SA look at any of the rules I copied there without having
> a cf file telling it to include any files in that folder?
>

> In other words does it automatically use any cf files it finds within
> any subfolder of the main rules folder?
>
No.
>
> 1.       Is there a way for me to have sa-update update the .cf files
> here?
>
Some of them can be sa-updated. It's really up to the particular ruleset
maintainer to set up the DNS features needed. (sa-update doesn't just
fetch a web page like RDJ does. To save bandwidth it uses DNS to find
out what the latest update rev is before it goes to HTTP)

A lot of the SARE rules support sa-update, as can be found here.

http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
>
> 2.       Should I get rid of any of these rules ( tripwire etc)?
>
None of them look to be "bad" rules to have. The ones to avoid include
sa-blacklist* (kills your server), bigevil (kills your server),
antidrug.cf (redundant/outdated compared to rules built-in to SA)
>
> 3.       Are there any other rules that do well that I should add?
>
I like the SARE spec ruleset, but I'd not go adding more stuff till you
fix your performance problems..

http://www.rulesemporium.com/rules/70_sare_specific.cf
>
>  
>
> Anything that can be suggested to improve my configuration is GREATLY
> appreciated!
>

Everything else looks good, although you might be a bit over-trusting of
the URIBLS by placing them all at 7. Provided you don't mind a rare FP,
that should be fine, but if you are FP averse, I'd avoid that.  I get
about 1 desirable email every 2 months that gets hit by one of them, and
about 2 newsletters that I intentionally subscribe to, but don't care
too much about, that hit one or more URIBL.. I request delisting, and
they generally do, but eventually some other domain gets picked up.. YMMV.

(and note: I get a *LOT* of email, so those frequencies still boil down
to a very low FP rate)

RE: Confirm configuration settings

[Joey <Jo...@Web56.Net>]

> -----Original Message-----
> From: Daryl C. W. O'Shea [mailto:spamassassin@dostech.ca]
> Sent: Monday, November 05, 2007 11:22 PM
> To: Joey
> Cc: users@spamassassin.apache.org
> Subject: Re: Confirm configuration settings
> 
> Joey wrote:
> 
> >> A lot of the SARE rules support sa-update, as can be found here.
> >>
> >> http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
> >
> > I have seen this page before, but I wasn't able to see what cf's are
> available there, is there another link that you are aware of?
> > I have scanned through a lot of that.
> 
> Rather than scan, read it all. :)  It's literally less than a page.
> Where to find the ruleset filenames is linked to in the third of the
> four steps.
> 
> Daryl


Maybe I'm confused here, but I have my updates working well with the sare updates, however
I was trying to see if there are other rules that sa-update works with.

Thanks!

Re: Confirm configuration settings

["Daryl C. W. O'Shea" <sp...@dostech.ca>]

Joey wrote:

>> A lot of the SARE rules support sa-update, as can be found here.
>>
>> http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
> 
> I have seen this page before, but I wasn't able to see what cf's are available there, is there another link that you are aware of?
> I have scanned through a lot of that.

Rather than scan, read it all. :)  It's literally less than a page. 
Where to find the ruleset filenames is linked to in the third of the 
four steps.

Daryl

RE: Confirm configuration settings

[Joey <Jo...@Web56.Net>]

> -----Original Message-----
> From: Matt Kettler [mailto:mkettler_sa@verizon.net]
> Sent: Thursday, November 01, 2007 8:38 AM
> To: Joey
> Cc: users@spamassassin.apache.org
> Subject: Re: Confirm configuration settings
> 
> >
> > After my post Help figuring our why SA is taking like 1.5 minutes to
> > filter I decided to kind of clean up my configuration and also get
> rid
> > of RulesDeJour.
> >
> Hmm interesting..
> 
> Question, what tools do you use to call SA? Do you know for sure what
> user SA runs as while scanning mail?
> 
> If so, try running a sa-learn --force-expire as that user.

On one of my Dual P3 1GHZ servers I received the following after running the above:
sa-learn --force-expire 
bayes: synced databases from journal in 2 seconds: 1325 unique entries (1861 total entries)

On another Dual P4 2.4GHZ I got this:
bayes: synced databases from journal in 0 seconds: 1511 unique entries (2186 total entries)
expired old bayes database entries in 49 seconds
137607 entries kept, 27993 deleted
token frequency: 1-occurrence tokens: 56.77%
token frequency: less than 8 occurrences: 24.52%

> 
> > 1.       Is there a way for me to have sa-update update the .cf files
> > here?
> >
> Some of them can be sa-updated. It's really up to the particular
> ruleset
> maintainer to set up the DNS features needed. (sa-update doesn't just
> fetch a web page like RDJ does. To save bandwidth it uses DNS to find
> out what the latest update rev is before it goes to HTTP)
> 
> A lot of the SARE rules support sa-update, as can be found here.
> 
> http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
> >

I have seen this page before, but I wasn't able to see what cf's are available there, is there another link that you are aware of?
I have scanned through a lot of that.

Thanks for your help!

Joey