You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Arias Hung <ar...@m-a-g.net> on 2006/06/06 01:41:52 UTC
Mail somehow bypassing spamassassin entirely showing up in my Inbox
I've been having the issue lately of at least a few mails a day somehow
bypassing spamassassin via procmail entirely and showing up in my inbox.
Sometimes its more like a flood which forces me to inevitably to forward my entire
inbox through procmail through formail again to filter its spam.
Can someone suggest how I might even go about troubleshooting this? Perhaps
this is better asked on the procmail list, although I thought I'd give it a shot
here first since I'm subbed.
Thanks in advanced to whoever is kind enough to reply.
Re: [SPAM-TAG] Why is this not seen as spam?
Posted by jdow <jd...@earthlink.net>.
"user_conf"? It's a user_prefs for each user and local.cf for the whole
installation, normally, 'ix-ishly speaking.
{o.o}
----- Original Message -----
From: "NW7US, Tomas" <nw...@hfradio.org>
> Excellent!
>
> I am doing this, now.
>
> One other question: where would I find a reasonably aggressive user_conf
> example for version 3.1.3?
>
> Thank you for the help so far.
>
> On Wed, 07 Jun 2006 23:42:39 -0700, Jeff Chan <je...@surbl.org> wrote:
>
>> Try using the SARE stock rules:
>>
>> http://www.rulesemporium.com/rules.htm
>
> 73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ )
>
> : Propagation Editor for CQ, CQ VHF, Popular Communications :
> : Creator; live propagation center http://prop.hfradio.org/ :
> : Associate Member of Propagation Studies Committee of RSGB :
> : 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI :
> : 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 :
> : Technical Writer for http://entirenet.net (Microsoft KB) :
Re: [SPAM-TAG] Why is this not seen as spam?
Posted by "NW7US, Tomas" <nw...@hfradio.org>.
Excellent!
I am doing this, now.
One other question: where would I find a reasonably aggressive user_conf
example for version 3.1.3?
Thank you for the help so far.
On Wed, 07 Jun 2006 23:42:39 -0700, Jeff Chan <je...@surbl.org> wrote:
> Try using the SARE stock rules:
>
> http://www.rulesemporium.com/rules.htm
73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ )
: Propagation Editor for CQ, CQ VHF, Popular Communications :
: Creator; live propagation center http://prop.hfradio.org/ :
: Associate Member of Propagation Studies Committee of RSGB :
: 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI :
: 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 :
: Technical Writer for http://entirenet.net (Microsoft KB) :
Re: [SPAM-TAG] Why is this not seen as spam?
Posted by Jeff Chan <je...@surbl.org>.
On Wednesday, June 7, 2006, 11:33:52 PM, Tomas NW7US wrote:
> The following is a sample of mail that seems to pass through spamassassin,
> but somehow seems to get marked as "ham" as it is tested for spam
> content. I am not able to figure out why this is happening.
Try using the SARE stock rules:
http://www.rulesemporium.com/rules.htm
> The one major issue I keep having with my server is with e-mail. I
> suspect that my sendmail is an open gate for spammers, though not in high
> volume. I think that I have curtailed a lot of it, but still see strange
> things, that I am trying to track down. This one is not an open gate
> issue, but is still driving me nuts...
If your sendmail is recent (past few years) it won't be open
relay by default. If it's not current, upgrade.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/
Re: Why is this not seen as spam?
Posted by jdow <jd...@earthlink.net>.
Tomas, I presume you have a stirling reason for not using Bayes. At
least I see no hint of a Bayes score in your headers even though it
says it autolearned as ham. Either you are autolearning to a different
database than you are using for scanning or you really hashed up its
initial training. Or so it seems to this person whose messages are
always HAM the same as yours - for the same reason. ('cept I'm a W6)
{^_-}
----- Original Message -----
From: "NW7US, Tomas" <nw...@hfradio.org>
To: <us...@spamassassin.apache.org>
Sent: Wednesday, June 07, 2006 23:33
Subject: Why is this not seen as spam?
> Hi.
>
> The following is a sample of mail that seems to pass through spamassassin,
> but somehow seems to get marked as "ham" as it is tested for spam
> content. I am not able to figure out why this is happening.
>
> If anyone could lend some insight on this, I'd appreciate it.
>
> The one major issue I keep having with my server is with e-mail. I
> suspect that my sendmail is an open gate for spammers, though not in high
> volume. I think that I have curtailed a lot of it, but still see strange
> things, that I am trying to track down. This one is not an open gate
> issue, but is still driving me nuts...
>
> Thanks, in advance, for any help you might be able to offer.
>
> First, I will show you the header information, then the body (at least a
> reasonable copy of the message).
>
> Headers:
>
>> Return-Path: <bb...@gms0.mar.lmco.com>
>> X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
>> my.server.domain.org
>> X-Spam-Level:
>> X-Spam-Status: No, score=0.0 required=1.0 tests=UNPARSEABLE_RELAY,
>> UPPERCASE_25_50
>> autolearn=ham version=3.1.3
>> Received: from 143000144 (host-213-213-227-17.brutele.be
>> [213.213.227.17]) by my.server.domain.org
>> (8.12.11/8.12.11) with SMTP id k581jZvD024979 for
>> <to...@some.virtual.domainname.org>; Wed, 7 Jun 2006 18:46:32 -0700
>> Received: from gms0.mar.lmco.com (142854568 [142884056]) by
>> host-213-213-227-17.brutele.be (Qmailv1) with ESMTP id
>> D1E9EE1BD9 for <to...@some.virtual.domainname.org>; Wed,
>> 07 Jun 2006 20:48:40 -0500
>> Date: Wed, 07 Jun 2006 20:48:40 -0500
>> From: "Guiana V. Darkness" <bb...@gms0.mar.lmco.com>
>> X-Mailer: The Bat! (v2.00.8) Personal
>> X-Priority: 3
>> Message-ID: <33...@gms0.mar.lmco.com>
>> To: Tomas <to...@some.virtual.domainname.org>
>> Subject: did the please 's ROI inform CLIFFORD 's penny
>> X-AntiVirus: skaner antywirusowy poczty Wirtualnej Polski S. A.
>> Status: O
>> X-UID: 656
>> Content-Length: 1248
>> X-Keywords:
>> X-Antivirus: AVG for E-mail 7.1.394 [268.8.2/357]
>> Mime-Version: 1.0
>> Content-Transfer-Encoding: 7bit
>> Content-Type: text/plain
>
> (I think that the AVG header is from my local box which is used to pop3
> the message from my server. AVG is used locally on all incoming mail from
> my pop mailbox).
>
> Now, the body:
>
>> WE TOLD YOU TO WATCH!!!
>> IT'S STILL NOT TOO LATE! TRADING ALERT!!! Timing is everything!!!
>> Profits of 200-400% EXPECTED TRADING SYMB0L: ABSY Opening Price:
>> 0.98
>> Yes, it is MOVING, Tomorrow could be even BIGGER!!! A $1,000 dollar
>> investment could yield a $5,000 dollar profit injust one trade if you
>> trade out at the top. ABSY should be one of
>> the most profitable ST0CKs to trade this year. In this range the
>> ST0CK has potential to move in either direction in bigs wings.This means
>> you should be able to buy at the lows and sell at thehighs for months to
>> come. YOU COULD MAKE $$$THOUSANDS OF DOLLARS$$$ TRADING.THIS OVER AND
>> OVER AGAIN. ABSY is also on The REG SHO Threshold list, this means
>> someone is
>> short the ST0CK. Any significant volume spike could yield drastic
>> results. If the people that are short have to cover, they will bebuying
>> the shares from you at higher prices. This makes this ST0CKa TRIPLE PLAY
>> for profits. For pennies you can participate in a ST0CK that could yield
>> results
>> over and over again just based on the trading patterns if thecompany is
>> able to effectuate it's business model. WATCH OUT!!!We could see a GREAT
>> STORY IN THE MAKING. GOOD LUCK AND TRADE OUT AT THE TOP!!!!
>> --No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.1.394 / Virus Database: 268.8.2/357 - Release Date: 6/6/2006
>
> --
>
> 73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ )
>
> : Propagation Editor for CQ, CQ VHF, Popular Communications :
> : Creator; live propagation center http://prop.hfradio.org/ :
> : Associate Member of Propagation Studies Committee of RSGB :
> : 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI :
> : 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 :
> : Technical Writer for http://entirenet.net (Microsoft KB) :
Re: Why is this not seen as spam?
Posted by Greg McCann <gr...@cambria.com>.
On 6/7/2006 at 11:33 PM NW7US, Tomas <nw...@hfradio.org> wrote:
>The following is a sample of mail that seems to pass through spamassassin,
...
>> WE TOLD YOU TO WATCH!!!
>> IT'S STILL NOT TOO LATE! TRADING ALERT!!! Timing is everything!!!
...
Bayes training, plus the 70_sare_stocks.cf ruleset has caught almost all of my stock spam.
Greg
Why is this not seen as spam?
Posted by "NW7US, Tomas" <nw...@hfradio.org>.
Hi.
The following is a sample of mail that seems to pass through spamassassin,
but somehow seems to get marked as "ham" as it is tested for spam
content. I am not able to figure out why this is happening.
If anyone could lend some insight on this, I'd appreciate it.
The one major issue I keep having with my server is with e-mail. I
suspect that my sendmail is an open gate for spammers, though not in high
volume. I think that I have curtailed a lot of it, but still see strange
things, that I am trying to track down. This one is not an open gate
issue, but is still driving me nuts...
Thanks, in advance, for any help you might be able to offer.
First, I will show you the header information, then the body (at least a
reasonable copy of the message).
Headers:
> Return-Path: <bb...@gms0.mar.lmco.com>
> X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
> my.server.domain.org
> X-Spam-Level:
> X-Spam-Status: No, score=0.0 required=1.0 tests=UNPARSEABLE_RELAY,
> UPPERCASE_25_50
> autolearn=ham version=3.1.3
> Received: from 143000144 (host-213-213-227-17.brutele.be
> [213.213.227.17]) by my.server.domain.org
> (8.12.11/8.12.11) with SMTP id k581jZvD024979 for
> <to...@some.virtual.domainname.org>; Wed, 7 Jun 2006 18:46:32 -0700
> Received: from gms0.mar.lmco.com (142854568 [142884056]) by
> host-213-213-227-17.brutele.be (Qmailv1) with ESMTP id
> D1E9EE1BD9 for <to...@some.virtual.domainname.org>; Wed,
> 07 Jun 2006 20:48:40 -0500
> Date: Wed, 07 Jun 2006 20:48:40 -0500
> From: "Guiana V. Darkness" <bb...@gms0.mar.lmco.com>
> X-Mailer: The Bat! (v2.00.8) Personal
> X-Priority: 3
> Message-ID: <33...@gms0.mar.lmco.com>
> To: Tomas <to...@some.virtual.domainname.org>
> Subject: did the please 's ROI inform CLIFFORD 's penny
> X-AntiVirus: skaner antywirusowy poczty Wirtualnej Polski S. A.
> Status: O
> X-UID: 656
> Content-Length: 1248
> X-Keywords:
> X-Antivirus: AVG for E-mail 7.1.394 [268.8.2/357]
> Mime-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain
(I think that the AVG header is from my local box which is used to pop3
the message from my server. AVG is used locally on all incoming mail from
my pop mailbox).
Now, the body:
> WE TOLD YOU TO WATCH!!!
> IT'S STILL NOT TOO LATE! TRADING ALERT!!! Timing is everything!!!
> Profits of 200-400% EXPECTED TRADING SYMB0L: ABSY Opening Price:
> 0.98
> Yes, it is MOVING, Tomorrow could be even BIGGER!!! A $1,000 dollar
> investment could yield a $5,000 dollar profit injust one trade if you
> trade out at the top. ABSY should be one of
> the most profitable ST0CKs to trade this year. In this range the
> ST0CK has potential to move in either direction in bigs wings.This means
> you should be able to buy at the lows and sell at thehighs for months to
> come. YOU COULD MAKE $$$THOUSANDS OF DOLLARS$$$ TRADING.THIS OVER AND
> OVER AGAIN. ABSY is also on The REG SHO Threshold list, this means
> someone is
> short the ST0CK. Any significant volume spike could yield drastic
> results. If the people that are short have to cover, they will bebuying
> the shares from you at higher prices. This makes this ST0CKa TRIPLE PLAY
> for profits. For pennies you can participate in a ST0CK that could yield
> results
> over and over again just based on the trading patterns if thecompany is
> able to effectuate it's business model. WATCH OUT!!!We could see a GREAT
> STORY IN THE MAKING. GOOD LUCK AND TRADE OUT AT THE TOP!!!!
> --No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.394 / Virus Database: 268.8.2/357 - Release Date: 6/6/2006
--
73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ )
: Propagation Editor for CQ, CQ VHF, Popular Communications :
: Creator; live propagation center http://prop.hfradio.org/ :
: Associate Member of Propagation Studies Committee of RSGB :
: 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI :
: 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 :
: Technical Writer for http://entirenet.net (Microsoft KB) :
Re: Mail somehow bypassing spamassassin entirely showing up in my
Inbox
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 6/7/2006 8:51 PM, Arias Hung wrote:
> On Mon, 05 Jun 2006, Daryl C. W. O'Shea delivered in simple text monotype:
>
>> Daryl
>>
> <---snip--->
>
> Ah, and one more quick question while I'm at it. What would you suggest
> would be the best way to increase the alarm timeout value?
> Straight in the spamd script?
>
> When grepping spamd for alarm:
>
> # bug 4699: this is the alarm that often ends up with an empty $@
> alarm $timeout_tcp if ($timeout_tcp);
> alarm 0;
> alarm $timeout_child if ($timeout_child);
> alarm 0;
> alarm $timeout_child if ($timeout_child);
> alarm 0;
>
>
> Or will setting the --child-timeout flag in spamd be enough?
You'd have to edit the current value (20) at line 953:
my $timer = Mail::SpamAssassin::Timeout->new({ secs => 20 });
You could try something higher, but it really shouldn't be necessary.
If the copy is going to succeed (and hasn't really hung up for some
reason) and is taking this long, chances are it's going to take the
better part of an hour to actually scan the mail.
I'd look for swap issues first.
Daryl
Re: Mail somehow bypassing spamassassin entirely showing up in my Inbox
Posted by Arias Hung <ar...@m-a-g.net>.
On Mon, 05 Jun 2006, Daryl C. W. O'Shea delivered in simple text monotype:
>Daryl
>
<---snip--->
Ah, and one more quick question while I'm at it. What would you suggest would be the best way to increase the alarm timeout value?
Straight in the spamd script?
When grepping spamd for alarm:
# bug 4699: this is the alarm that often ends up with an empty $@
alarm $timeout_tcp if ($timeout_tcp);
alarm 0;
alarm $timeout_child if ($timeout_child);
alarm 0;
alarm $timeout_child if ($timeout_child);
alarm 0;
Or will setting the --child-timeout flag in spamd be enough?
Re: Mail somehow bypassing spamassassin entirely showing up in my Inbox
Posted by Arias Hung <ar...@m-a-g.net>.
Actually, I just went throught the archives and found your suggestion a few months
ago regarding upping the alarm value from 10 to 100. My problem actually sounds
like this might be a similar issue as I notice a lot more spam gets through when
I have a high load.
Any other suggestions aside from this?
Thanks again for your help.
Re: Mail somehow bypassing spamassassin entirely showing up in my
Inbox
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Arias Hung wrote:
> On Thu, 08 Jun 2006, Daryl C. W. O'Shea delivered in simple text monotype:
>
>> As for the copy_config timeouts... what kind of system load are you
>> seeing. 10, 50, 500, or higher? The current 20 seconds alarm is
>> twice the original alarm timeout, but if you've got a high enough load
>> it could still be a problem. You could increase this value to
>> something practically unusable, like 300, but I'd be really surprised
>> (and would like to about) if the timeout isn't being caused by insane
>> load or excessive swapping.
>
> Actually, with the load at just around 5-6 I'm notcing spam starting to
> seep through. When my snapshot utility kicks in twice
> a day to take snapshots of my filesystem that seems to unleash a the
> largest torrents of unchecked spam.
fs snapshots would make swap effectively useless. You'll be waiting all
day for disk I/O.
>> So... how much memory do you have in this machine, how much is free,
>> and how much (hopefully none or little) swap is being used. If swap
>> is being used, how much of the spamd processes are being swapped out
>> (check will the system is idle after it's been busy for a bit).
>
> 1 gig. Here's a sample of my free/spam:
>
> # free -m
> total used free shared buffers cached
> Mem: 1010 982 28 0 94 149
> -/+ buffers/cache: 738 272
> Swap: 1953 516 1436
If you look at 'top' I'm sure you'll see that a good portion of the
spamd processes have been swapped out whenever you see this happen.
> This is with the alarm timeout value increased to 40 in spamd as you
> suggested.
Yeah, that's not really going to help. It's going to take a LONG time
if you're swap thrashing.
> Does this ring any bells?
Yup. I'm almost certain that this is definitely caused by the spamd
processes being swapped in and out.
> Thanks for you continued help on this.
No problem. Bill is in the mail! :)
Daryl
Re: Mail somehow bypassing spamassassin entirely showing up in my Inbox
Posted by Arias Hung <ar...@m-a-g.net>.
On Thu, 08 Jun 2006, Daryl C. W. O'Shea delivered in simple text monotype:
>On 6/7/2006 8:09 PM, Arias Hung wrote:
>For the "normal timeouts", it sounds like you might be consistently having a problem with bayes expiry. Although, such a problem
>isn't normally consistent AND long (time wise) when using spamd. You could try running an "sa-learn --force-expire" to see if it
>helps.
<---snip--->
I tried force-expire, although it didn't seem to do much. BTW I'm using bayes with the mysql plugins as if that makes any difference.
Everything on the mysql end of things is correct, tables created as they should, and logging as i expect.
>As for the copy_config timeouts... what kind of system load are you seeing. 10, 50, 500, or higher? The current 20 seconds alarm
>is twice the original alarm timeout, but if you've got a high enough load it could still be a problem. You could increase this
>value to something practically unusable, like 300, but I'd be really surprised (and would like to about) if the timeout isn't being
>caused by insane load or excessive swapping.
Actually, with the load at just around 5-6 I'm notcing spam starting to seep through. When my snapshot utility kicks in twice
a day to take snapshots of my filesystem that seems to unleash a the largest torrents of unchecked spam.
>So... how much memory do you have in this machine, how much is free, and how much (hopefully none or little) swap is being used.
>If swap is being used, how much of the spamd processes are being swapped out (check will the system is idle after it's been busy
>for a bit).
1 gig. Here's a sample of my free/spam:
# free -m
total used free shared buffers cached
Mem: 1010 982 28 0 94 149
-/+ buffers/cache: 738 272
Swap: 1953 516 1436
My spamc looks as follows: spamc -s 250000 -t 450
Although lately I've begun experimenting with the -x flag with spamc and have
discovered the following in my procmail logs:
procmail: Program failure (74) of "/usr/bin/spamc"
procmail: Rescue of unfiltered data succeeded
From vi758@coo.net Fri Jun 9 08:13:45 2006
Subject: XXXlXX
Folder: Inbox/new/1149866025.31852_3.radio
The program failure (74) and Rescue unfiltered data lines always preceeds
missed spam going into my Inbox.
This is with the alarm timeout value increased to 40 in spamd as you suggested.
Does this ring any bells?
Thanks for you continued help on this.
Re: Mail somehow bypassing spamassassin entirely showing up in my
Inbox
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 6/7/2006 8:09 PM, Arias Hung wrote:
> On Tue, 06 Jun 2006, Daryl C. W. O'Shea delivered in simple text monotype:
>
>> How long are messages (that are logged) taking to be scanned by
>> SpamAssassin when/before this happens. What timeout are you using
>> with spamc? You are using spamc, right, and not spamassassin?
>
> <---snip--->
>
> Yes, i'm using spamc. I didn't set timeout on spamc, so I'm assuming
> it's at its default level 300 seconds. Should it be longer?
The default should be more than sufficient.
> I'm also noticing a lot of copy_config timeouts, and a few normal
> timeouts that exceed the 300 seconds. I will try upping the timeout
> value ... are you aware if the copy_config be resolved this way as well,
> or can upping the # of children help?
For the "normal timeouts", it sounds like you might be consistently
having a problem with bayes expiry. Although, such a problem isn't
normally consistent AND long (time wise) when using spamd. You could
try running an "sa-learn --force-expire" to see if it helps.
As for the copy_config timeouts... what kind of system load are you
seeing. 10, 50, 500, or higher? The current 20 seconds alarm is twice
the original alarm timeout, but if you've got a high enough load it
could still be a problem. You could increase this value to something
practically unusable, like 300, but I'd be really surprised (and would
like to about) if the timeout isn't being caused by insane load or
excessive swapping.
So... how much memory do you have in this machine, how much is free, and
how much (hopefully none or little) swap is being used. If swap is
being used, how much of the spamd processes are being swapped out (check
will the system is idle after it's been busy for a bit).
Since you suggested that this might be a personal workstation you're
running this on, there's a good chance that 4 children might actually be
too many.
BTW... is this Linux, or BSD, or something else?
Daryl
Re: Mail somehow bypassing spamassassin entirely showing up in my Inbox
Posted by Arias Hung <ar...@m-a-g.net>.
On Tue, 06 Jun 2006, Daryl C. W. O'Shea delivered in simple text monotype:
>How long are messages (that are logged) taking to be scanned by SpamAssassin when/before this happens. What timeout are you using with
>spamc? You are using spamc, right, and not spamassassin?
<---snip--->
Yes, i'm using spamc. I didn't set timeout on spamc, so I'm assuming it's at its default level 300 seconds. Should it be longer?
I'm also noticing a lot of copy_config timeouts, and a few normal timeouts that exceed the 300 seconds. I will try upping the timeout value ... are you aware if the copy_config be resolved this way as well, or can upping the # of children help?
Re: Mail somehow bypassing spamassassin entirely showing up in my
Inbox
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Arias Hung wrote:
> Thanks for your reply. I actually limit my maxchildren to 4 due to the
> intensive memory hogging nature of the beast. At present
> I'm using a recent spamassassin compiled from the svn version
> 3.2.0-r386260. My spamassasin logs have absolutely no trace of the spam
> that gets through, but my procmail logs of course record the spam going
> into my Inbox. That's why I'm hoping for a hint on even
> where to begin troubleshooting the leakage.
>
> Anything come to mind?
How long are messages (that are logged) taking to be scanned by
SpamAssassin when/before this happens. What timeout are you using with
spamc? You are using spamc, right, and not spamassassin?
Daryl
Re: Mail somehow bypassing spamassassin entirely showing up in my Inbox
Posted by Theo Van Dinter <fe...@apache.org>.
On Wed, Jun 07, 2006 at 05:13:07PM -0700, Arias Hung wrote:
> Are you aware of any issues such as I described in 3.2.0?
The only two ways that occur to me off-hand for a message to skip SA is either
1) the message is larger than the spamc max size (250k) or 2) all of the spamd
children are busy so spamc eventually times out waiting for attention.
> Yes, I'm noticing copy_config timeouts ... could this be a consequence of
> too little children?
Typically a timeout on copy_config means your machine is extremely busy,
perhaps just a lot of processes, or you're hitting swap a lot, or ...
What kind of load levels are you seeing on there?
--
Randomly Generated Tagline:
If you live to the age of a hundred you have it made because very few
people die past the age of a hundred.
-- George Burns
Re: Mail somehow bypassing spamassassin entirely showing up in my Inbox
Posted by Arias Hung <ar...@m-a-g.net>.
On Tue, 06 Jun 2006, Theo Van Dinter delivered in simple text monotype:
>On Tue, Jun 06, 2006 at 06:28:48AM -0700, Arias Hung wrote:
>> intensive memory hogging nature of the beast. At present
>> I'm using a recent spamassassin compiled from the svn version
>> 3.2.0-r386260. My spamassasin logs have absolutely no trace of the spam
>
>Just curious, is there a reason you're running 3.2.0? It's completely not
>meant for production use yet.
I usually try and use the latest bleeding edge on my client/workstation machine,
as i don't quite consider it a 'production' machine, while familiarizing myself
with it in the process before upgrading 'production' level machines i administer.
Are you aware of any issues such as I described in 3.2.0?
>Since you limited spamd to 4 children, if say, 6 messages come in that need to
>be scanned, 2 will be left sitting around waiting for a child to free up. If
>it takes long enough that spamc or whatever calling spamc times out, the
>message will (likely) continue through unprocessed.
<---snip--->
Yes, I'm noticing copy_config timeouts ... could this be a consequence of too little
children?
Re: Mail somehow bypassing spamassassin entirely showing up in my Inbox
Posted by Theo Van Dinter <fe...@apache.org>.
On Tue, Jun 06, 2006 at 06:28:48AM -0700, Arias Hung wrote:
> intensive memory hogging nature of the beast. At present
> I'm using a recent spamassassin compiled from the svn version
> 3.2.0-r386260. My spamassasin logs have absolutely no trace of the spam
Just curious, is there a reason you're running 3.2.0? It's completely not
meant for production use yet.
> Thanks for your reply. I actually limit my maxchildren to 4 due to the
> intensive memory hogging nature of the beast. At present
[...]
> that gets through, but my procmail logs of course record the spam going
> into my Inbox. That's why I'm hoping for a hint on even
> where to begin troubleshooting the leakage.
Since you limited spamd to 4 children, if say, 6 messages come in that need to
be scanned, 2 will be left sitting around waiting for a child to free up. If
it takes long enough that spamc or whatever calling spamc times out, the
message will (likely) continue through unprocessed.
--
Randomly Generated Tagline:
Marv Albert: He's really showing us what a man with a cannon
in his chest can do.
Re: Mail somehow bypassing spamassassin entirely showing up in my Inbox
Posted by Arias Hung <ar...@m-a-g.net>.
On Mon, 05 Jun 2006, Daryl C. W. O'Shea delivered in simple text monotype:
>Are all of your spamd children busy when this happens? You could have more children enabled than your system memory can support.
>
>Are you using SA < 3.1.2 and allow_user_rules? If so it could be a Perl bug being triggered. You'd see "insecure dependency" errors
>in your maillog if this is the case.
>
>Are you seeing any errors in your maillog? Have you looked at your maillog?
<---snip--->
Hi Daryl,
Thanks for your reply. I actually limit my maxchildren to 4 due to the intensive memory hogging nature of the beast. At present
I'm using a recent spamassassin compiled from the svn version 3.2.0-r386260. My spamassasin logs have absolutely no trace of the spam
that gets through, but my procmail logs of course record the spam going into my Inbox. That's why I'm hoping for a hint on even
where to begin troubleshooting the leakage.
Anything come to mind?
-Arias
Re: Mail somehow bypassing spamassassin entirely showing up in my
Inbox
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 6/5/2006 7:41 PM, Arias Hung wrote:
> I've been having the issue lately of at least a few mails a day somehow
> bypassing spamassassin via procmail entirely and showing up in my inbox.
>
> Sometimes its more like a flood which forces me to inevitably to forward
> my entire inbox through procmail through formail again to filter its spam.
>
> Can someone suggest how I might even go about troubleshooting this?
> Perhaps
> this is better asked on the procmail list, although I thought I'd give
> it a shot
> here first since I'm subbed.
>
> Thanks in advanced to whoever is kind enough to reply.
Are all of your spamd children busy when this happens? You could have
more children enabled than your system memory can support.
Are you using SA < 3.1.2 and allow_user_rules? If so it could be a Perl
bug being triggered. You'd see "insecure dependency" errors in your
maillog if this is the case.
Are you seeing any errors in your maillog? Have you looked at your maillog?
Daryl