You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by martes <ma...@mgwigglesworth.com> on 2009/04/10 18:13:07 UTC
Further information on tweaking tips...
Greetings list.
I have been running spamassassin in default install mode for a few
months now, and in the past week, I have been getting some miss-fires, I
would have to assume, since I have been receiving obvious spam.
Where should I start in troubleshooting this type of issue?
I have not had the time to really get deep into custom rule sets, and
all, so I just wanted to know how if I need to add these addresses to
the blacklist, or if I should first check to see if a specific setting
is failing. I even got a particular email that listed a different name
as the recipient, and gave that name in the heading of the email, but it
was still addressed to me. I am not that familiar with spam practices,
so that was just odd, in the least.
I also want to know how to pipe the logs from spamd
into /var/log/spamd.log.
I have newsyslog.conf and syslog.conf set up to shoot those logs to that
log file, however, nothing gets sent there. I guess everything is
getting picked up by the maillog.info directive. The thing is, how do I
unregister spamassassin as part of the mail system, so that this flag
will not return true for spamd?
Re: Further information on tweaking tips...
Posted by John Hardin <jh...@impsec.org>.
On Fri, 10 Apr 2009, martes wrote:
> I have been running spamassassin in default install mode for a few
> months now, and in the past week, I have been getting some miss-fires, I
> would have to assume, since I have been receiving obvious spam.
>
> Where should I start in troubleshooting this type of issue?
Post a sample of such a false negative - including _all_ headers, in plain
text - to a pastebin site or a website you can publish files on, and send
the URL to the list. If we can see what's happening, we can make concrete
suggestions.
> I have not had the time to really get deep into custom rule sets,
Don't worry about custom rules right away. Lets first make sure all the
basics are properly configured, and you haven't fallen into some of the
pitfalls waiting for new SA admins (such as using whitelist_from).
> I even got a particular email that listed a different name as the
> recipient, and gave that name in the heading of the email, but it was
> still addressed to me.
That's how BCC works.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
An AR-15 in civilian hands used to defend a home or business:
a High Velocity Assault Weapon with High Capacity Magazines
An AR-15 in Law Enforcement Officer hands used to murder six kids:
a Police-Style Patrol Rifle
-----------------------------------------------------------------------
3 days until Thomas Jefferson's 266th Birthday
Re: Further information on tweaking tips...
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2009-04-10 at 12:13 -0400, martes wrote:
> I have been running spamassassin in default install mode for a few
> months now, and in the past week, I have been getting some miss-fires, I
> would have to assume, since I have been receiving obvious spam.
By mis-fire you actually mean "not firing", spam slipping by? There is
absolutely no way to give advice how to catch these, without a sample, a
raw message including all headers (upload it somewhere, maybe using a
pastebin).
Well, other than re-iterating common practices, which have been
mentioned numerous times on this list. ;)
> Where should I start in troubleshooting this type of issue?
By looking at the mail body, its headers and the rules triggered. Or
hope someone on this list will do it for you -- if you provide samples.
SA version? Do you use sa-update?
> I have not had the time to really get deep into custom rule sets, and
> all, so I just wanted to know how if I need to add these addresses to
> the blacklist, or if I should first check to see if a specific setting
> is failing. I even got a particular email that listed a different name
> as the recipient, and gave that name in the heading of the email, but it
> was still addressed to me. I am not that familiar with spam practices,
> so that was just odd, in the least.
Nothing odd about that at all. The To header is just some sugar coating.
It's irrelevant otherwise, and not involved in specifying the actual
recipients.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Further information on tweaking tips...
Posted by martes <ma...@mgwigglesworth.com>.
Greetings Karsten.
How can you tell that the header was mangled?
I have not gotten that deep into email analysis yet, however, I don't
see what you mean.
I also have to "train" my bayesian filter, so that could be why some
mail is slipping through.
In response to some other inquiries, citadel simply shoots the mail to
spamd on the requisit host, and then relies on spamd to evaluate the
message. There are no SA headers because of the process that was just
described. This must be specific to citadel.
Can anyone let me know where spamassassin stores spam on a default
install?
I need to find some spam/ham to train sa-learn with.
Thanks again for the responses.
I am still seeing two or three spam email messages getting through.
This has to be the ham/spam thing that bayesian filtration takes care
of, because obvious spam seems to be filtered pretty well.
On Fri, 2009-04-10 at 14:39 -0400, Karsten Bräckelmann wrote:
> On Fri, 2009-04-10 at 11:20 -0700, John Hardin wrote:
> > On Fri, 10 Apr 2009, martes wrote:
>
> > > Here is a link to the listed message that passed through the filter.
> > >
> > > http://pastebin.com/d6fe63bd6
> >
> > The headers in that spample don't say anything about SA at all. Did you
> > export the message from your mail client? That can omit headers.
>
> Evolution does not omit headers when showing the message source.
> However, that particular message indeed looks like the headers have been
> severely altered. Note the Received headers position.
>
> Martes, how is SA integrated? Unfortunately, the Evolution Junk plugin
> doesn't add the SA headers.
>
>
> Btw, by glimpsing at the headers alone I can already tell it definitely
> is spam. The Message-Id is very poorly forged and seriously broken. To
> avoid the term braindead. :) It triggers my rule KB_RATWARE_MSGID.
>
>
> > Is it possible for you to directly retrieve the message out of your system
> > mailbox file using a text editor? That's guaranteed to not omit anything
> > of interest.
>
> And please don't munge any data, unless you really have to -- for
> instance, the Organization header appears to have been rewritten.
>
>
Re: Further information on tweaking tips...
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Sat, 2009-04-11 at 09:14 -0400, martes wrote:
> Greetings Karsten.
>
> How can you tell that the header was mangled?
>
> I have not gotten that deep into email analysis yet, however, I don't
> see what you mean.
Your pastebin sample expired -- so here goes from memory.
The Received headers, injected by the MTAs, are below the sender
generated headers. That's obviously been rewritten. Also, in addition to
personal information, the Organization header read something like "my
organization", just like my-address and stuff. Appears to have been
altered by you.
> I also have to "train" my bayesian filter, so that could be why some
> mail is slipping through.
>
> In response to some other inquiries, citadel simply shoots the mail to
> spamd on the requisit host, and then relies on spamd to evaluate the
> message. There are no SA headers because of the process that was just
> described. This must be specific to citadel.
See my previous post. While you're right that it probably is Citadel
specific, SA can be used as a filter just fine. Maybe Citadel knows how
to do that, too.
> Can anyone let me know where spamassassin stores spam on a default
> install?
It doesn't -- default or not. SA does not reject mail, store or deliver
mail, or whatever else. SA classifies and scores mail. Any action
whatsoever is the duty of other tools in your mail processing chain.
Citadel in your case.
Yup, you want to follow up with Citadel folks... ;)
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Further information on tweaking tips...
Posted by martes <ma...@mgwigglesworth.com>.
Greetings Karsten.
How can you tell that the header was mangled?
I have not gotten that deep into email analysis yet, however, I don't
see what you mean.
I also have to "train" my bayesian filter, so that could be why some
mail is slipping through.
In response to some other inquiries, citadel simply shoots the mail to
spamd on the requisit host, and then relies on spamd to evaluate the
message. There are no SA headers because of the process that was just
described. This must be specific to citadel.
Can anyone let me know where spamassassin stores spam on a default
install?
I need to find some spam/ham to train sa-learn with.
Thanks again for the responses.
I am still seeing two or three spam email messages getting through.
This has to be the ham/spam thing that bayesian filtration takes care
of, because obvious spam seems to be filtered pretty well.
On Fri, 2009-04-10 at 14:39 -0400, Karsten Bräckelmann wrote:
> On Fri, 2009-04-10 at 11:20 -0700, John Hardin wrote:
> > On Fri, 10 Apr 2009, martes wrote:
>
> > > Here is a link to the listed message that passed through the filter.
> > >
> > > http://pastebin.com/d6fe63bd6
> >
> > The headers in that spample don't say anything about SA at all. Did you
> > export the message from your mail client? That can omit headers.
>
> Evolution does not omit headers when showing the message source.
> However, that particular message indeed looks like the headers have been
> severely altered. Note the Received headers position.
>
> Martes, how is SA integrated? Unfortunately, the Evolution Junk plugin
> doesn't add the SA headers.
>
>
> Btw, by glimpsing at the headers alone I can already tell it definitely
> is spam. The Message-Id is very poorly forged and seriously broken. To
> avoid the term braindead. :) It triggers my rule KB_RATWARE_MSGID.
>
>
> > Is it possible for you to directly retrieve the message out of your system
> > mailbox file using a text editor? That's guaranteed to not omit anything
> > of interest.
>
> And please don't munge any data, unless you really have to -- for
> instance, the Organization header appears to have been rewritten.
>
>
Re: Further information on tweaking tips...
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2009-04-10 at 11:20 -0700, John Hardin wrote:
> On Fri, 10 Apr 2009, martes wrote:
> > Here is a link to the listed message that passed through the filter.
> >
> > http://pastebin.com/d6fe63bd6
>
> The headers in that spample don't say anything about SA at all. Did you
> export the message from your mail client? That can omit headers.
Evolution does not omit headers when showing the message source.
However, that particular message indeed looks like the headers have been
severely altered. Note the Received headers position.
Martes, how is SA integrated? Unfortunately, the Evolution Junk plugin
doesn't add the SA headers.
Btw, by glimpsing at the headers alone I can already tell it definitely
is spam. The Message-Id is very poorly forged and seriously broken. To
avoid the term braindead. :) It triggers my rule KB_RATWARE_MSGID.
> Is it possible for you to directly retrieve the message out of your system
> mailbox file using a text editor? That's guaranteed to not omit anything
> of interest.
And please don't munge any data, unless you really have to -- for
instance, the Organization header appears to have been rewritten.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Further information on tweaking tips...
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2009-04-10 at 23:29 -0400, martes wrote:
> I have to admit that I am still fresh-newbie to SA administration,
> however, the "integration" method is simply to pipe mail from citadel
> to spamd, which happens to be on the same server, and then if the
> filtration passes, then the mail gets passed back to the email server.
Given that SA appears to be working, you are however not seeing any SA
headers...
There are different possible ways to integrate SA. The preferred one is
to use it as a *filter*, so SA can add its own headers. It appears
Citadel is using SA merely to classify, not as a filter -- no different
spamminess levels but a black and white decision only.
> however, I think that the integration of SA with citadel is simply to
> pipe unknown email to the filter, and then let the filter manage it.
> There seems to be a notification within the citadel logs which
> indicates a -1 status and the requisite "rejected by filter" message,
> however, I don't see where the mail is held. Hence my interest in
> getting further involved in the administrative tasks, since time is
> permitting, now.
I guess you want to follow up with Citadel folks...
> However, I do want to know about the "tagging" facilities that I am
> supposed to be seeing. Any further information on that topic is much
> appreciated, because spamd is obviously doing its job because int the
> time that it took to take spamd down, remove it, recompile, and
> install it, I recieved about fifteen spam mail messages. So there must
> have been something which was out of date on the system, because I can
> see about five to ten messages every 15 to 30 minutes being deflected
> in the logs.
Deflected? I seriously hope Citadel -- whatever that is -- rejects the
messages at SMTP level, based on SA result. And does not bounce after
accepting the message...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Further information on tweaking tips...
Posted by martes <ma...@mgwigglesworth.com>.
Thanks for the responses.
I have to admit that I am still fresh-newbie to SA administration,
however, the "integration" method is simply to pipe mail from citadel to
spamd, which happens to be on the same server, and then if the
filtration passes, then the mail gets passed back to the email server.
I am using Citadel as my email server, so the integration is simply to
ad the a relavant host declaration, and that is about it. I think the
process is as simple as described, however, I have never seen any
spamd/SA headers in anything that gets passed back to the server. I can
see the email getting filtered in the spamd logs, and when they were on
the maillog facility, as indicated earlier, you could see the direct
flow of an email coming into citadel, a connection being registered from
citadel to spamd/SA, and then the processing of the email is displayed.
I have provided an example directly off of the server logs.
tail /var/log/spamd.log
Fri Apr 10 22:39:33 2009 [26125] info: spamd: connection from localhost
[127.0.0.1] at port 58085
Fri Apr 10 22:39:33 2009 [26125] info: spamd: checking message <01c9ba89
$6ab06200$1f3c797c@ter> for (unknown):1004
Fri Apr 10 22:39:37 2009 [26125] info: spamd: identified spam (22.3/5.0)
for (unknown):1004 in 4.7 seconds, 1184 bytes.
Fri Apr 10 22:39:37 2009 [26125] info: spamd: result: Y 22 -
BODY_ENHANCEMENT2,FH_HELO_EQ_D_D_D_D,FM_SEX_HELODDDD,HELO_DYNAMIC_IPADDR,HS_INDEX_PARAM,MORE_SEX,MSGID_FROM_MTA_HEADER,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RDNS_DYNAMIC,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL scantime=4.7,size=1184,user=(unknown),uid=1004,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=58085,mid=<01...@ter>,autolearn=spam
Fri Apr 10 22:39:38 2009 [26123] info: prefork: child states: II
Fri Apr 10 22:56:41 2009 [26125] info: spamd: connection from localhost
[127.0.0.1] at port 59165
Fri Apr 10 22:56:41 2009 [26125] info: spamd: checking message <01c9ba9c
$92f58c00$bba3cf77@tenaude> for (unknown):1004
Fri Apr 10 22:56:43 2009 [26125] info: spamd: identified spam (7.2/5.0)
for (unknown):1004 in 2.2 seconds, 1561 bytes.
Fri Apr 10 22:56:43 2009 [26125] info: spamd: result: Y 7 -
MSGID_FROM_MTA_HEADER,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,SPF_SOFTFAIL
scantime=2.2,size=1561,user=(unknown),uid=1004,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=59165,mid=<01...@tenaude>,autolearn=no
Fri Apr 10 22:56:43 2009 [26123] info: prefork: child states: II
<Prompt> cat /var/log/maillog | grep tenaude
Apr 10 22:56:43 dataserver1 citadel: -1: from=<te...@ssss.gouv.qc.ca>,
nrcpts=1, relay=119.207.163.187 [119.207.163.187], stat=550 message
rejected by spam filter^M
I have reinstalled SpamAssassin using the perl modules that were listed
as optional, and it seems that the sa-update worked, and I have not
gotten anymore spam since reinstalling, then upgrading. I am still a
bit vague as to how all of the integration and rulesets work, however, I
think that the integration of SA with citadel is simply to pipe unknown
email to the filter, and then let the filter manage it. There seems to
be a notification within the citadel logs which indicates a -1 status
and the requisite "rejected by filter" message, however, I don't see
where the mail is held. Hence my interest in getting further involved
in the administrative tasks, since time is permitting, now.
Thanks for the inquiries.
I hope that my current message will clear up the "integration" inquiry.
I still have to read more about these different mechanisms, however, I
think it may be working now.
However, I do want to know about the "tagging" facilities that I am
supposed to be seeing. Any further information on that topic is much
appreciated, because spamd is obviously doing its job because int the
time that it took to take spamd down, remove it, recompile, and install
it, I recieved about fifteen spam mail messages. So there must have been
something which was out of date on the system, because I can see about
five to ten messages every 15 to 30 minutes being deflected in the logs.
Thanks guys, and please give any further input or inquiry, because I am
all ears....
On Fri, 2009-04-10 at 20:49 -0400, Karsten Br�ckelmann wrote:
> On Fri, 2009-04-10 at 19:24 -0400, martes wrote:
>
> > There was a mention of evolution's junk plugin, however, I had to
> > disable that plugin and just rely on the server, since it would just
> > cause an infinite loop, whenever new mail was looked at, causing
> > Evloution to lock up.
>
> While the "loop" is disturbing and can't be caused by either system
> involved -- I just asked, cause your headers are lacking the SA ones. A
> possible explanation. Though the *least* best one, since you're using
> IMAP.
>
> Yes, server side filtering *before* the mail gets delivered to your IMAP
> server is the way to go.
>
>
> > I use spamd on my mail server, and the server pipes it straight to my
> > spamd session, and then if it gets out, then I get email. That may be
> > the reason for the non-sa headers. I just looked at a few other "good"
> > email examples in my inbox, and non of them has SA headers, except for
> > the ones from this list.
>
> Nope. Using spamc/d server-side is *not* the reason why you're lacking
> the SA headers.
>
> Let me ask again: HOW do you integrate SA?
>
> SA headers appearing on this list are normal, and have not been added on
> your side. Besides, your ones would be at the top and not labeled ASF...
>
>
Re: Further information on tweaking tips...
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2009-04-10 at 19:24 -0400, martes wrote:
> There was a mention of evolution's junk plugin, however, I had to
> disable that plugin and just rely on the server, since it would just
> cause an infinite loop, whenever new mail was looked at, causing
> Evloution to lock up.
While the "loop" is disturbing and can't be caused by either system
involved -- I just asked, cause your headers are lacking the SA ones. A
possible explanation. Though the *least* best one, since you're using
IMAP.
Yes, server side filtering *before* the mail gets delivered to your IMAP
server is the way to go.
> I use spamd on my mail server, and the server pipes it straight to my
> spamd session, and then if it gets out, then I get email. That may be
> the reason for the non-sa headers. I just looked at a few other "good"
> email examples in my inbox, and non of them has SA headers, except for
> the ones from this list.
Nope. Using spamc/d server-side is *not* the reason why you're lacking
the SA headers.
Let me ask again: HOW do you integrate SA?
SA headers appearing on this list are normal, and have not been added on
your side. Besides, your ones would be at the top and not labeled ASF...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Further information on tweaking tips...
Posted by martes <ma...@mgwigglesworth.com>.
I will check on all of these things, however, I have to read some docs
on the subject.
I was just getting into this type of configuration when I got swamped
with some other projects.
I will have to research bayes configurations. I am reinstalling
spamassassin to include some of the optional perl modules that were
omitted originally, however, since bayes does not seem to be working, I
guess I will have to check there first.
There was a mention of evolution's junk plugin, however, I had to
disable that plugin and just rely on the server, since it would just
cause an infinite loop, whenever new mail was looked at, causing
Evloution to lock up.
I use spamd on my mail server, and the server pipes it straight to my
spamd session, and then if it gets out, then I get email. That may be
the reason for the non-sa headers. I just looked at a few other "good"
email examples in my inbox, and non of them has SA headers, except for
the ones from this list.
On Fri, 2009-04-10 at 14:20 -0400, John Hardin wrote:
> On Fri, 10 Apr 2009, martes wrote:
>
> > Apr 10 10:00:07 dataserver1 spamd[94633]: spamd: result: . 2 -
> > MSGID_FROM_MTA_HEADER,RCVD_IN_PBL,XMAILER_MIMEOLE_OL_4BF4C
> > scantime=0.8,size=1219,user=(unknown),uid=1004,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=51745,mid=<01...@jwq>,autolearn=no
>
> It looks like Bayes isn't working. Have you disabled Bayes? Have you given
> Bayes any training yet?
>
> > Here is a link to the listed message that passed through the filter.
> >
> > http://pastebin.com/d6fe63bd6
>
> The headers in that spample don't say anything about SA at all. Did you
> export the message from your mail client? That can omit headers.
>
> Is it possible for you to directly retrieve the message out of your system
> mailbox file using a text editor? That's guaranteed to not omit anything
> of interest.
>
Re: Further information on tweaking tips...
Posted by John Hardin <jh...@impsec.org>.
On Fri, 10 Apr 2009, martes wrote:
> Apr 10 10:00:07 dataserver1 spamd[94633]: spamd: result: . 2 -
> MSGID_FROM_MTA_HEADER,RCVD_IN_PBL,XMAILER_MIMEOLE_OL_4BF4C
> scantime=0.8,size=1219,user=(unknown),uid=1004,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=51745,mid=<01...@jwq>,autolearn=no
It looks like Bayes isn't working. Have you disabled Bayes? Have you given
Bayes any training yet?
> Here is a link to the listed message that passed through the filter.
>
> http://pastebin.com/d6fe63bd6
The headers in that spample don't say anything about SA at all. Did you
export the message from your mail client? That can omit headers.
Is it possible for you to directly retrieve the message out of your system
mailbox file using a text editor? That's guaranteed to not omit anything
of interest.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You can't reason a person out of a position if he didn't use
reason to get there in the first place. -- Kristopher, at Marko's
-----------------------------------------------------------------------
3 days until Thomas Jefferson's 266th Birthday
Re: Further information on tweaking tips...
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Sun, 2009-04-12 at 22:08 +0200, Karsten Bräckelmann wrote:
> On Fri, 2009-04-10 at 13:29 -0500, McDonald, Dan wrote:
> > X-Spam-Report:
> > * 3.0 KB_RATWARE_MSGID Ratware Message-Id
>
> Ah, nice... :) Thanks.
>
> > The only custom rule that it hit was:
> Actually, my RATWARE_MSGID rule is custom, too. ;) After all, it lives
> in my sandbox and isn't part of 3.2.x stock rule-set.
Quite right - I forgot I had that in local_ratware.cf You must have
posted something about it on the mailing list.
Looks like it hits about 15 messages a week, most of them high-scoring
spam, but it did manage to drag one over the threshhold:
Apr 4 23:14:32 sa amavis[24228]: (24228-06) SPAM, <XX...@yahoo.com>
-> <jo...@example.com>, Yes, score=8.601
tag=-999 tag2=4.5 kill=6.31
tests=[AV:Sanesecurity.Phishing.Cur.10915.UNOFFICIAL=4.1,
FREEMAIL_FROM=0.5, HTML_MESSAGE=0.001, KB_RATWARE_MSGID=3,
L_P0F_Linux=1], autolearn=disabled, quarantine agoMPInWuoOL
(spam-quarantine)
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
Re: Further information on tweaking tips...
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Fri, 2009-04-10 at 13:29 -0500, McDonald, Dan wrote:
> X-Spam-Report:
> * 2.0 RCVD_IN_BRBL_RELAY RBL: received via a relay rated as poor by
> * Barracuda
> * [121.58.201.246 listed in b.barracudacentral.org]
> * 3.0 BARE_GEOCITIES URI: Body contains spammed domain
> * 3.0 KB_RATWARE_MSGID Ratware Message-Id
Ah, nice... :) Thanks.
> The only custom rule that it hit was:
> uri BARE_GEOCITIES m'^http://geocities\.com\b'i
> if you don't count the baracuda rule:
Actually, my RATWARE_MSGID rule is custom, too. ;) After all, it lives
in my sandbox and isn't part of 3.2.x stock rule-set.
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Further information on tweaking tips...
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Fri, 2009-04-10 at 14:05 -0400, martes wrote:
> Thanks for the tips guys.
>
> In response to the simpler of the two inquiries, after using the
> syslog switch, I am only able to get the logs sent directly to
> spamd.log, so the frequent archiving that syslogd does is not going to
> be done for this file. I guess this is good enough for now.
>
> However, I do have a log for one of the examples that I have provided.
Mine scores that at 16.
X-Spam-Status: Yes, score=16.0 required=5.0 tests=BARE_GEOCITIES,BOTNET_OTHER,
KB_RATWARE_MSGID,MSGID_FROM_MTA_HEADER,RCVD_IN_BL_SPAMCOP_NET,
RCVD_IN_BRBL_RELAY,RCVD_IN_PBL,RCVD_IN_XBL,TO_MALFORMED,
XMAILER_MIMEOLE_OL_4BF4C autolearn=disabled version=3.2.5
X-Spam-Report:
* 0.0 TO_MALFORMED To: has a malformed address
* 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
* [Blocked - see <http://www.spamcop.net/bl.shtml?121.58.201.246>]
* 2.0 RCVD_IN_BRBL_RELAY RBL: received via a relay rated as poor by
* Barracuda
* [121.58.201.246 listed in b.barracudacentral.org]
* 0.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
* [121.58.201.246 listed in zen.spamhaus.org]
* 2.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
* 3.0 BARE_GEOCITIES URI: Body contains spammed domain
* 3.0 KB_RATWARE_MSGID Ratware Message-Id
* 0.4 XMAILER_MIMEOLE_OL_4BF4C XMAILER_MIMEOLE_OL_4BF4C
* 1.5 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
* 0.5 BOTNET_OTHER BOTNET_OTHER
> http://pastebin.com/d6fe63bd6
The only custom rule that it hit was:
uri BARE_GEOCITIES m'^http://geocities\.com\b'i
describe BARE_GEOCITIES Body contains spammed domain
score BARE_GEOCITIES 3.0
if you don't count the baracuda rule:
# URL: http://www.barracudacentral.org/rbl/
header __RCVD_IN_BRBL eval:check_rbl('brbl-lastexternal', 'b.barracudacentral.org')
describe __RCVD_IN_BRBL received via a relay in b.barracudacentral.org
header RCVD_IN_BRBL_RELAY eval:check_rbl_sub('brbl-lastexternal', '127.0.0.2')
tflags RCVD_IN_BRBL_RELAY net
describe RCVD_IN_BRBL_RELAY received via a relay rated as poor by Barracuda
score RCVD_IN_BRBL_RELAY 2.00
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
Re: Further information on tweaking tips...
Posted by Martin Gregorie <ma...@gregorie.org>.
On Fri, 2009-04-10 at 14:05 -0400, martes wrote:
> Thanks for the tips guys.
>
> In response to the simpler of the two inquiries, after using the
> syslog switch, I am only able to get the logs sent directly to
> spamd.log, so the frequent archiving that syslogd does is not going to
> be done for this file. I guess this is good enough for now.
>
Don't forget that you should also let logrotate know about your new log
file so that it will be managed along with the other log files.
You need to do this regardless of whether you use the -s option or
change the syslog configuration. If you don't, the file will simply grow
until the partition that contains /var is full.
Martin
Re: Further information on tweaking tips...
Posted by martes <ma...@mgwigglesworth.com>.
Thanks for the tips guys.
In response to the simpler of the two inquiries, after using the syslog
switch, I am only able to get the logs sent directly to spamd.log, so
the frequent archiving that syslogd does is not going to be done for
this file. I guess this is good enough for now.
However, I do have a log for one of the examples that I have provided.
Apr 10 10:00:07 dataserver1 spamd[94633]: spamd: connection from
localhost [127.0.0.1] at port 51745
Apr 10 10:00:07 dataserver1 spamd[94633]: spamd: checking message
<01...@jwq> for (unknown):1004
Apr 10 10:00:07 dataserver1 spamd[94633]: spamd: clean message (2.4/5.0)
for (unknown):1004 in 0.8 seconds, 1219 bytes.
Apr 10 10:00:07 dataserver1 spamd[94633]: spamd: result: . 2 -
MSGID_FROM_MTA_HEADER,RCVD_IN_PBL,XMAILER_MIMEOLE_OL_4BF4C
scantime=0.8,size=1219,user=(unknown),uid=1004,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=51745,mid=<01...@jwq>,autolearn=no
Apr 10 10:00:08 dataserver1 citadel: 82998: from=<jw...@boomtownmail.com>,
nrcpts=1, relay=121.58.201.246 [121.58.201.246], stat=250 Message
accepted.^M
Here is a link to the listed message that passed through the filter.
http://pastebin.com/d6fe63bd6
Thanks for the assistance.
On Fri, 2009-04-10 at 12:55 -0400, Martin Gregorie wrote:
> On Fri, 2009-04-10 at 12:13 -0400, martes wrote:
> > Where should I start in troubleshooting this type of issue?
> >
> Are you getting rules updates? If not, that could have a bearing.
> Running sa_update as a daily or weekly cron job is pretty much a fire
> and forget solution.
>
> > I have not had the time to really get deep into custom rule sets, and
> > all, so I just wanted to know how if I need to add these addresses to
> > the blacklist, or if I should first check to see if a specific setting
> > is failing.
> >
> Read the SA documentation. Learn Perl regexes if you don't already know
> how to write them.
>
> > I even got a particular email that listed a different name
> > as the recipient, and gave that name in the heading of the email, but it
> > was still addressed to me. I am not that familiar with spam practices,
> > so that was just odd, in the least.
> >
> Forged the sender addresses are common in spam.
>
> > I also want to know how to pipe the logs from spamd
> > into /var/log/spamd.log.
> >
> > I have newsyslog.conf and syslog.conf set up to shoot those logs to that
> > log file, however, nothing gets sent there.
> >
> Have you restarted the system logging service (rsyslog on my system) or
> reloaded its configuration?
>
>
> Martin
>
>
>
Re: Further information on tweaking tips...
Posted by Martin Gregorie <ma...@gregorie.org>.
On Fri, 2009-04-10 at 12:13 -0400, martes wrote:
> Where should I start in troubleshooting this type of issue?
>
Are you getting rules updates? If not, that could have a bearing.
Running sa_update as a daily or weekly cron job is pretty much a fire
and forget solution.
> I have not had the time to really get deep into custom rule sets, and
> all, so I just wanted to know how if I need to add these addresses to
> the blacklist, or if I should first check to see if a specific setting
> is failing.
>
Read the SA documentation. Learn Perl regexes if you don't already know
how to write them.
> I even got a particular email that listed a different name
> as the recipient, and gave that name in the heading of the email, but it
> was still addressed to me. I am not that familiar with spam practices,
> so that was just odd, in the least.
>
Forged the sender addresses are common in spam.
> I also want to know how to pipe the logs from spamd
> into /var/log/spamd.log.
>
> I have newsyslog.conf and syslog.conf set up to shoot those logs to that
> log file, however, nothing gets sent there.
>
Have you restarted the system logging service (rsyslog on my system) or
reloaded its configuration?
Martin
Re: Further information on tweaking tips...
Posted by Duane Hill <d....@yournetplus.com>.
On Fri, 10 Apr 2009, martes wrote:
> I also want to know how to pipe the logs from spamd
> into /var/log/spamd.log.
>
> I have newsyslog.conf and syslog.conf set up to shoot those logs to that
> log file, however, nothing gets sent there. I guess everything is
> getting picked up by the maillog.info directive. The thing is, how do I
> unregister spamassassin as part of the mail system, so that this flag
> will not return true for spamd?
You would add to the spamd startup parameters:
-s /var/log/spamd.log
Re: Further information on tweaking tips...
Posted by martes <ma...@mgwigglesworth.com>.
Actually, I have just come across the -s options, etc...
I think this is where I may be able derive the functionality that I need
from the logging facilities.
However, I would still like some input for the tweaking tips for
correcting the current miss-fires that seem to be occuring, which are
allowing for the insertion of the spam that I am seeing in my inbox.
On Fri, 2009-04-10 at 12:13 -0400, Martes G Wigglesworth wrote:
> Greetings list.
>
> I have been running spamassassin in default install mode for a few
> months now, and in the past week, I have been getting some miss-fires, I
> would have to assume, since I have been receiving obvious spam.
>
> Where should I start in troubleshooting this type of issue?
>
> I have not had the time to really get deep into custom rule sets, and
> all, so I just wanted to know how if I need to add these addresses to
> the blacklist, or if I should first check to see if a specific setting
> is failing. I even got a particular email that listed a different name
> as the recipient, and gave that name in the heading of the email, but it
> was still addressed to me. I am not that familiar with spam practices,
> so that was just odd, in the least.
>
> I also want to know how to pipe the logs from spamd
> into /var/log/spamd.log.
>
> I have newsyslog.conf and syslog.conf set up to shoot those logs to that
> log file, however, nothing gets sent there. I guess everything is
> getting picked up by the maillog.info directive. The thing is, how do I
> unregister spamassassin as part of the mail system, so that this flag
> will not return true for spamd?
>
>