You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Luis Croker <lc...@megacable.com.mx> on 2008/10/24 01:56:57 UTC
Spamassassin+amavis
Hi...
I have a mail server with FreeBSD 7.0, postfix+amavis-new
+spamassassin. We are an ISP and I need to filter the spam that our
susbribers are sending to internet, the PCs have some malware or are
botnets. These PCs generates a lot of spam each day.
The server filters a los of Spam but some times the queue is so
crowded. I have to questions...
Do you have any recomendation to improve the performance on the
server ??
How can I catch more spam than the seerver is filtering ? The server
blocks many messages but another spam messages goes to internet cause
the score does not reach the parameters to be blocked.
thanks a lot. Regards.
Re: Spamassassin+amavis
Posted by SM <sm...@resistor.net>.
At 10:12 24-10-2008, Luis Croker wrote:
> I have updated the SARE rules... how often should I update them ? Daily ?
It's been a while since the SARE rules have been updated. Checking
for updates daily would only generate useless traffic. It's better
to get the updates provided by the SpamAssassin project (
http://wiki.apache.org/spamassassin/RuleUpdates ). The "sought"
rules ( http://wiki.apache.org/spamassassin/SoughtRules ) are quite
effective in catching "fresh" spam messages.
Regards,
-sm
Re: Spamassassin+amavis
Posted by Luis Croker <lc...@megacable.com.mx>.
I have 4 CPUS and 4 Gigs of RAM. The server have just the mail
applications and is doing nothing else.... the CPUs are 100%
available.
About the spamd childs... The amavis-new calls the utilities of
spamassassin but i think it doesnt need the spamd deamon running...
just use it to get the score and reinject the mail to postfix again.
Is that correct ?
On Tue, 2008-10-28 at 08:50 -0700, John Hardin wrote:
> On Tue, 28 Oct 2008, Luis Croker wrote:
>
> > I continue with slow delivery in my mail server. Like I told you, the
> > filters are working well, but the mail queue some times is big and slow.
> >
> > I have read http://wiki.apache.org/spamassassin/FasterPerformance
>
> Have you checked to see whether your computer is simply overloaded? How
> much memory is installed? Are you hitting swap? How many spamd child
> processes are running?
>
Luis Croker
SCSA - SCNA
Administrador de Sistemas
Megacable Comunicaciones
GPG Key1024D/48C1764B
Key fingerprint = E8B6 E84F ECE4 661E 30C7 7208 042D BD09 48C1 764B
Re: Spamassassin+amavis
Posted by John Hardin <jh...@impsec.org>.
On Tue, 28 Oct 2008, Luis Croker wrote:
> I continue with slow delivery in my mail server. Like I told you, the
> filters are working well, but the mail queue some times is big and slow.
>
> I have read http://wiki.apache.org/spamassassin/FasterPerformance
Have you checked to see whether your computer is simply overloaded? How
much memory is installed? Are you hitting swap? How many spamd child
processes are running?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
3 days until Halloween
Re: Spamassassin+amavis
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Tue, 2008-10-28 at 09:34 -0600, Luis Croker wrote:
>
> Hi all...
>
> .
> smtp-amavis unix - - n - 100 smtp
> -o smtp_data_done_timeout=1200
> -o smtp_send_xforward_command=yes
> -o disable_dns_lookups=yes
>
> and I have the same number of procs for amavisd:
> $max_servers = 100;
Wow, 100 procs! How many terabytes of ram do you have?
You probably want to reduce that number until you stop swapping...
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
Re: Spamassassin+amavis
Posted by Luis Croker <lc...@megacable.com.mx>.
Hi all...
I continue with slow delivery in my mail server. Like I told you,
the filters are working well, but the mail queue some times is big and
slow.
I have read http://wiki.apache.org/spamassassin/FasterPerformance
and I did some chages to try to get performance. This changes are:
-I installed a DNS server locally, in the same server.
-I turned off DCC, Razor and Pyzor.
-I set the bayes use to 0.
Im calling amavis from postfix in main.cf :
content_filter=smtp-amavis:[127.0.0.1]:10024
My master.cf:
#
==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
#
==========================================================================
smtp inet n - n - - smtpd
.
.
.
smtp-amavis unix - - n - 100 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
and I have the same number of procs for amavisd:
$max_servers = 100;
I dont know if I have something wrong in my conf files or I m
missing some confs.
the system continues slow... yesterday I was doing some tests... I
sente 500 mail from my PC to the server just working with postfix (no
amavis) and the mails are delivery inmediatly, but when I enable the
amavisd, the mails keep in the queue for a while and slowly starts the
delivery which use somethig like 3 minutes.
I feel that amavis works very well filtering... right now my
unique problem is the performance and the efficient processing of the
mail queue.
Any ideas or advices ?
Thank you very much.
On Fri, 2008-10-24 at 18:59 -0500, Luis Croker wrote:
>
> Hi.. thanks all for the answers.. I have enabled the most high
> debug level and I have figured out some rules that I modified and put
> the scro directly in local.cf and now Im filtering very well the
> mails...
>
> So, now I have another issue... My performance is not good. Some
> times I have a lot of petitions and the mails goes to the mail queue
> and the delivery rate is slow...
>
> How can I get a better delivery rate ? is there a variable for
> the active mail queue or somethig like that ?
>
> Thans.. regards.
>
>
> On Fri, 2008-10-24 at 10:21 -0700, John Hardin wrote:
>
> > On Fri, 24 Oct 2008, Luis Croker wrote:
> >
> > > I have updated the SARE rules... how often should I update them ?
> > > Daily ?
> >
> > SARE development has frozen while Real Life intrudes. The ninjas have said
> > they will announce any updates on the list, when and if they occur, and
> > will announce if regular maintenance resumes.
> >
> > Grab what's on the website once, and watch the SA list.
> >
Re: Spamassassin+amavis
Posted by John Hardin <jh...@impsec.org>.
On Fri, 24 Oct 2008, Luis Croker wrote:
> So, now I have another issue... My performance is not good. Some
> times I have a lot of petitions and the mails goes to the mail queue and
> the delivery rate is slow...
http://wiki.apache.org/spamassassin/FasterPerformance
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
11 days until the Presidential Election
Re: Spamassassin+amavis
Posted by Luis Croker <lc...@megacable.com.mx>.
Hi.. thanks all for the answers.. I have enabled the most high debug
level and I have figured out some rules that I modified and put the scro
directly in local.cf and now Im filtering very well the mails...
So, now I have another issue... My performance is not good. Some
times I have a lot of petitions and the mails goes to the mail queue and
the delivery rate is slow...
How can I get a better delivery rate ? is there a variable for the
active mail queue or somethig like that ?
Thans.. regards.
On Fri, 2008-10-24 at 10:21 -0700, John Hardin wrote:
> On Fri, 24 Oct 2008, Luis Croker wrote:
>
> > I have updated the SARE rules... how often should I update them ?
> > Daily ?
>
> SARE development has frozen while Real Life intrudes. The ninjas have said
> they will announce any updates on the list, when and if they occur, and
> will announce if regular maintenance resumes.
>
> Grab what's on the website once, and watch the SA list.
>
Luis Croker
SCSA - SCNA
Administrador de Sistemas
Megacable Comunicaciones
GPG Key1024D/48C1764B
Key fingerprint = E8B6 E84F ECE4 661E 30C7 7208 042D BD09 48C1 764B
Re: Spamassassin+amavis
Posted by John Hardin <jh...@impsec.org>.
On Fri, 24 Oct 2008, Luis Croker wrote:
> I have updated the SARE rules... how often should I update them ?
> Daily ?
SARE development has frozen while Real Life intrudes. The ninjas have said
they will announce any updates on the list, when and if they occur, and
will announce if regular maintenance resumes.
Grab what's on the website once, and watch the SA list.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Health Care _is_ a right - the government has no business keeping
you from getting it. But forcing somebody else to pay for your
health care at gunpoint (i.e. through taxation) is _not_ a right.
-----------------------------------------------------------------------
11 days until the Presidential Election
Re: Spamassassin+amavis
Posted by mouss <mo...@netoyen.net>.
Luis Croker a écrit :
>
> I have updated the SARE rules... how often should I update them ? Daily ?
>
no. they don't change often. (I don't update them anymore, so I don't
know when they were last updated...).
JM_SOUGHT rules get updated often.
Re: Spamassassin+amavis
Posted by Luis Croker <lc...@megacable.com.mx>.
I have updated the SARE rules... how often should I update them ?
Daily ?
On Thu, 2008-10-23 at 23:19 -0700, SM wrote:
> At 16:56 23-10-2008, Luis Croker wrote:
> > I have a mail server with FreeBSD 7.0,
> > postfix+amavis-new+spamassassin. We are an ISP and I need to
> > filter the spam that our susbribers are sending to internet, the
> > PCs have some malware or are botnets. These PCs generates a lot of
> > spam each day.
> >
> > The server filters a los of Spam but some times the queue is so
> > crowded. I have to questions...
> >Do you have any recomendation to improve the performance on the server ??
>
> http://wiki.apache.org/spamassassin/FasterPerformance
>
> >How can I catch more spam than the seerver is filtering ? The server
> >blocks many messages but another spam messages goes to internet
> >cause the score does not reach the parameters to be blocked.
>
> If you are running an old version of SpamAssassin, update it. Run
> sa-update to keep the rules updated.
>
> Analyze SMTP traffic to detect any signs of abuse and quarantine
> these hosts. You may have to reach out to the customers and help
> them clean infected hosts. Use the feedback from your abuse
> department. You can also get feedback from anti-abuse groups and
> subscribe to feedback loops. Identify the spam messages not reaching
> the threshold and add rules to catch them.
>
> Regards,
> -sm
>
>
Luis Croker
SCSA - SCNA
Administrador de Sistemas
Megacable Comunicaciones
GPG Key1024D/48C1764B
Key fingerprint = E8B6 E84F ECE4 661E 30C7 7208 042D BD09 48C1 764B
Re: Spamassassin+amavis
Posted by SM <sm...@resistor.net>.
At 16:56 23-10-2008, Luis Croker wrote:
> I have a mail server with FreeBSD 7.0,
> postfix+amavis-new+spamassassin. We are an ISP and I need to
> filter the spam that our susbribers are sending to internet, the
> PCs have some malware or are botnets. These PCs generates a lot of
> spam each day.
>
> The server filters a los of Spam but some times the queue is so
> crowded. I have to questions...
>Do you have any recomendation to improve the performance on the server ??
http://wiki.apache.org/spamassassin/FasterPerformance
>How can I catch more spam than the seerver is filtering ? The server
>blocks many messages but another spam messages goes to internet
>cause the score does not reach the parameters to be blocked.
If you are running an old version of SpamAssassin, update it. Run
sa-update to keep the rules updated.
Analyze SMTP traffic to detect any signs of abuse and quarantine
these hosts. You may have to reach out to the customers and help
them clean infected hosts. Use the feedback from your abuse
department. You can also get feedback from anti-abuse groups and
subscribe to feedback loops. Identify the spam messages not reaching
the threshold and add rules to catch them.
Regards,
-sm
RE: Spamassassin+amavis
Posted by Jean-Paul Natola <jn...@familycareintl.org>.
maybe if you block messages with no rdns record? if its from infected pc's
there shouldnt be a record?
________________________________
From: Luis Croker [mailto:lcroker@megacable.com.mx]
Sent: Thu 10/23/2008 19:56
To: users@spamassassin.apache.org
Subject: Spamassassin+amavis
Hi...
I have a mail server with FreeBSD 7.0, postfix+amavis-new+spamassassin. We
are an ISP and I need to filter the spam that our susbribers are sending to
internet, the PCs have some malware or are botnets. These PCs generates a
lot of spam each day.
The server filters a los of Spam but some times the queue is so crowded. I
have to questions...
Do you have any recomendation to improve the performance on the server ??
How can I catch more spam than the seerver is filtering ? The server blocks
many messages but another spam messages goes to internet cause the score
does not reach the parameters to be blocked.
thanks a lot. Regards.
Re: Spamassassin+amavis
Posted by Benny Pedersen <me...@junc.org>.
On Fri, October 24, 2008 01:56, Luis Croker wrote:
> How can I catch more spam than the seerver is filtering ? The server
> blocks many messages but another spam messages goes to internet cause
> the score does not reach the parameters to be blocked.
go the smtp auth route, when spam comes in from a smtp auth user you know
with ueer to remove smtp auth from, i bet thay will wonder why cant i send
mail anymore and figure out there computer is in botnet
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Spamassassin+amavis
Posted by mouss <mo...@netoyen.net>.
Luis Croker a écrit :
>
> Hi...
>
> I have a mail server with FreeBSD 7.0,
> postfix+amavis-new+spamassassin. We are an ISP and I need to filter the
> spam that our susbribers are sending to internet, the PCs have some
> malware or are botnets. These PCs generates a lot of spam each day.
>
> The server filters a los of Spam but some times the queue is so
> crowded. I have to questions...
> Do you have any recomendation to improve the performance on the server ??
>
> How can I catch more spam than the seerver is filtering ? The server
> blocks many messages but another spam messages goes to internet cause
> the score does not reach the parameters to be blocked.
>
by default, amavisd-new won't add SA headers if the mail is not destined
to a "local" domain. you may need to tweak this.
filtering outbound mail is a bit harder (exceptionally at an ISP). note
that you should not use the PBL (or any "dul" like DNSBL).
consider using policyd (www.policyd.org), it has a rate limiting
functionality. use Version 1 which has been used in ISP environment
(single threaded C daemon). (of course, don't use greylisting.
greylisting is for MTAs, not for MUAs). For questions about this, use
the postfix users list.
Also, as others said, start migrating to submission: port 587 with SASL
authentication. Even if this won't block "motivated" malware authors, it
adds a barrier and is currently the recommended approach. and while you
are in, see if you can also move to TLS (STARTTLS on 587 for standard
compliant MUAs, and the old 465 for others).