Re: spamd is dying

[maillist]

brian ally wrote:

postfix-2.3.3-1
cyrus-imapd-2.2.10-3
spamassassin-3.1.5-1
spamass-milter-0.3.0-1.1.fc2.rf
perl-Mail-SpamAssassin-3.1.5-1

I'm seeing spamd processes dying consistently:

Aug 13 09:06:07 subtropolix spamd[23480]: bayes: cannot open bayes
databases /var/spool/spamassassin/bayes_* R/O: tie failed: Permission 
denied

Aug 13 09:06:07 subtropolix spamd[23480]: bayes: locker: safe_lock:
cannot create tmp lockfile
/var/spool/spamassassin/bayes.lock.subtropolix.org.23480 for
/var/spool/spamassassin/bayes.lock: Permission denied
Aug 13 09:06:07 subtropolix spamd[23480]: spamd: clean message
(-0.2/5.0) for filter:5002 in 27.5 seconds, 3069 bytes.
Aug 13 09:06:07 subtropolix spamd[23480]: spamd: result: . 0 - AWL
scantime=27.5,size=3069,user=filter,uid=5002,required_score=5.0,rhost=subtropolix.org,\ 

raddr=127.0.0.1,rport=35144,mid=<[EMAIL PROTECTED]>,\ 


autolearn=failed
Aug 13 09:07:40 subtropolix spamc[26720]: connect(AF_INET) to spamd at
127.0.0.1 failed, retrying (#1 of 3): Connection refused

# service spamassassin status
spamd dead but pid file exists
# service spamassassin start
Starting spamd:  [  OK  ]

Here're some lines from maillog from when it's been restarted:


Aug 16 13:09:54 subtropolix spamd[19296]: rules: meta test
DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK'
Aug 16 13:09:59 subtropolix spamd[19296]: spamd: server started on port
783/tcp (running version 3.1.5)
Aug 16 13:09:59 subtropolix spamd[19296]: spamd: server pid: 19296
Aug 16 13:10:18 subtropolix spamd[24919]: bayes: locker: safe_lock:
cannot create tmp lockfile
/var/spool/spamassassin/bayes.lock.subtropolix.org.24919 for
/var/spool/spamassassin/bayes.lock: Permission denied
Aug 16 13:10:18 subtropolix spamd[24919]: spamd: clean message
(-100.9/5.0) for filter:5002 in 18.0 seconds, 117248 bytes.
Aug 16 13:10:18 subtropolix spamd[24919]: spamd: result: . -100 -
AWL,HTML_MESSAGE,USER_IN_WHITELIST\
scantime=18.0,size=117248,user=filter,uid=5002,required_score=5.0,rhost=subtropolix.org,\ 

raddr=127.0.0.1,rport=53653,mid=<[EMAIL PROTECTED]>,autolearn=failed 




I'm also curious about the "autolearn=failed" on that last line.

/etc/postfix/master.cf:
filterunix  -   n   n   -   -   pipe
flags=Rq user=filter argv=/usr/local/anomy/spamc.sh -f ${sender} 
-- ${recipient}


local.cf:
rewrite_header Subject [SPAM]
lock_method flock
required_score 5.0
use_bayes 1
bayes_auto_learn 1
bayes_path /var/spool/spamassassin/bayes

# ls -l /var/spool/spamassassin/
total 2723
-rw---  1 root root  162816 Aug 16 01:20 bayes_seen
-rw---  1 mail mail 2618368 Aug 16 01:20 bayes_toks

/var spool spamassassin has:
drwxr-xr-x   3 mailmail2048 Aug 16 01:20 spamassassin

Note there's no journal. I haven't figured out why (nor if it's
important). Does anything jump out at anyone as to why spamd might be
dying like this? I have googled for this but have yet to come across a 
definitive answer.


How are you starting spamd?  I think you are starting spamd as a user 
without permissions to /var/spool/spamassassin/bayes. 

Also, in my experience, that line in your config file should actually be 
changed from:


bayes_path /var/spool/spamassassin/bayes

to:

bayes_path /var/spool/spamassassin/bayes/bayes

I start spamd like this:

/usr/bin/spamd -r /var/run/spamd.pid \
-d --username=defang --max-spare=8 --min-children=10 --max-children=45

So, I start spamd as the user "defang".

-=Aubrey=-

Re: Question - How many of you run ALL your email through SA?

[maillist]

Kai Schaetzl wrote:

 wrote on 16 Aug 2007 17:26:42 -:

  

One thing I noticed when experimenting with pre-filters: bayes no longer knows 
about
certain kinds of spam. If, for some reason, the prefilter does not catch (i.e. 
you are
one of the first to get a new spam run) then SA might pass it with neutral 
bayes.
So it might be an idea to feed (a certain percentage of) pre-filtered spam to a 
low
priority SA learn job



Indeed. On my personal server 99,9% of the spam that reaches SA is from a forwarded 
email address, so I cannot block it on MTA. If it weren't for those my Bayes would

grow obsolete quickly.

Kai

  


If you can block SPAM at the MTA level, then that would surely be the 
best solution for all of your resources.  The problem is that sometimes, 
like for me, I have mail that gets forwarded from another account.  That 
account sends my server about 96% spam.  There's nothing that I can do 
to stop that at the MTA level.  For everyone else, I would *much* rather 
spamd never crank up.


...even though it does do a wonderful job, and since I started using it 
about 2 years ago, it has dropped my spam count from about 5,000 a day 
to only about 10 or 15.  If only we could use spam for fuel.


-=Aubrey=-

Re: Blacklist problems!

[maillist]

Michael Chapman wrote:

Hi there:

This should be a fairly simple question for the experts out there ... 
everything I'm receiving is being blacklisted, and the reports 
indicate that all these messages are flagged as "USER_IN_BLACKLIST."  
Where?  I don't have a user_prefs, and my global is really simple:


# These values can be overridden by editing ~/.spamassassin/user_prefs.cf
# (see spamassassin(1) for details)

# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.
whitelist_from *.musiciansfriend.com
whitelist_from *.apache.org
blacklist_from [EMAIL PROTECTED]
required_hits 8
#report_safe 0
rewrite_header Subject [SPAM]
# SpamAssassin config file for version 3.x
# # NOTE: NOT COMPATIBLE WITH VERSIONS 2.5 or 2.6
# # See http://www.yrex.com/spam/spamconfig25.php for earlier versions
# # Generated by http://www.yrex.com/spam/spamconfig.php (version 1.50)
#
# # How many hits before a message is considered spam.
# required_score   5.0
#
# # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe)
report_safe 1
#
# # Enable the Bayes system
use_bayes   1
#
# # Enable Bayes auto-learning
bayes_auto_learn  1
#
# # Enable or disable network checks
# skip_rbl_checks 0
use_razor2  1
#use_dcc 1
use_pyzor   1
#
# # Mail using languages used in these country codes will not be marked
# # as being possibly spam in a foreign language.
#ok_languagesen
#
# # Mail using locales used in these country codes will not be marked
# # as being possibly spam in a foreign language.
ok_locales  en

# Blacklist for foreign countries we don't care about getting mail from
#
blacklist_from  *.ar
blacklist_from  *.tr
blacklist_from  *.cn
blacklist_from  *.hr
blacklist_from  *.ru
blacklist_from  *.tw
#
#


This all worked just fine when I was using RH9/SA 2.6.  This is on 
Fedora 7 with SA 3.2.2.  I am using procmail to process incoming mail, 
and using ClamAV for virus stuff.


Is there a way I can reset the blacklist?  This is driving me nuts.  I 
don't want to use all_spam_to just to get my mail!


Help!  Please?

Thanks!

Michael



I would set the following

whitelist_from_rcvd *.musiciansfriend.com  musiciansfriend.com
whitelist_from_rcvd *.apache.org  apache.org

LOOK HERE FOR MORE INFO ON THIS OPTION
http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html

blacklist_from [EMAIL PROTECTED]
required_hits 8  
rewrite_header Subject [SPAM]  
report_safe 1

use_bayes   1
bayes_auto_learn  0
skip_rbl_checks 0
use_razor2  1
use_pyzor   1  
ok_languagesen

# Blacklist for foreign countries we don't care about getting mail from
#
#blacklist_from  *.ar
#blacklist_from  *.tr
#blacklist_from  *.cn
#blacklist_from  *.hr
#blacklist_from  *.ru
#blacklist_from  *.tw

No need for these settings if you have the above "ok_languages  en"

-=Aubrey=-

Re: Blacklist problems!

[maillist]

Michael Chapman wrote:
Well, nothing has worked so far ... every message that I have coming 
in (except for the specifically white-listed messages from this 
mailing list) have USER_IN_BLACKLIST flagged.  Where on earth is it 
getting this?  You've seen my local.cf, I don't have a user_prefs 
anymore (blew it away in hopes of resolving this.)


My head hurts.

Thanks!

Michael

Michael Chapman wrote:
Thanks ... I can certainly take care of the whitelist items.  The 
country codes are all remarked out, as I used the the ok_languages as 
you indicated.


How will changing the whitelist entries prevent my incoming mail as 
being blacklisted?


Thanks again!

Michael

I would set the following

whitelist_from_rcvd *.musiciansfriend.com  musiciansfriend.com
whitelist_from_rcvd *.apache.org  apache.org

LOOK HERE FOR MORE INFO ON THIS OPTION
http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html 



blacklist_from [EMAIL PROTECTED]
required_hits 8 rewrite_header Subject [SPAM] report_safe 1
use_bayes   1
bayes_auto_learn  0
skip_rbl_checks 0
use_razor2  1
use_pyzor   1 ok_languagesen
# Blacklist for foreign countries we don't care about getting mail from
#
#blacklist_from  *.ar
#blacklist_from  *.tr
#blacklist_from  *.cn
#blacklist_from  *.hr
#blacklist_from  *.ru
#blacklist_from  *.tw

No need for these settings if you have the above "ok_languages  en"

-=Aubrey=-

Michael Chapman wrote:
OK ... after diving back into my spam to get responses to this 
message, I turned off AWL in v310.pre and removed all blacklist 
items from local.cf and user_prefs.  Still no joy.  Everything is 
still getting flagged as before!  What is going on?


Thanks for all of your help so far, gang!

Michael

Michael Chapman wrote:
 

Hi there:

This should be a fairly simple question for the experts out there 
... everything I'm receiving is being blacklisted, and the reports 
indicate that all these messages are flagged as 
"USER_IN_BLACKLIST."  Where?  I don't have a user_prefs, and my 
global is really simple:


# These values can be overridden by editing 
~/.spamassassin/user_prefs.


cf
 

# (see spamassassin(1) for details)

# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.
whitelist_from *.musiciansfriend.com
whitelist_from *.apache.org
blacklist_from [EMAIL PROTECTED]
required_hits 8
#report_safe 0
rewrite_header Subject [SPAM]
# SpamAssassin config file for version 3.x
# # NOTE: NOT COMPATIBLE WITH VERSIONS 2.5 or 2.6
# # See http://www.yrex.com/spam/spamconfig25.php for earlier versions
# # Generated by http://www.yrex.com/spam/spamconfig.php (version 
1.50)

#
# # How many hits before a message is considered spam.
# required_score   5.0
#
# # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe)
report_safe 1
#
# # Enable the Bayes system
use_bayes   1
#
# # Enable Bayes auto-learning
bayes_auto_learn  1
#
# # Enable or disable network checks
# skip_rbl_checks 0
use_razor2  1
#use_dcc 1
use_pyzor   1
#
# # Mail using languages used in these country codes will not be 
marked

# # as being possibly spam in a foreign language.
#ok_languagesen
#
# # Mail using locales used in these country codes will not be marked
# # as being possibly spam in a foreign language.
ok_locales  en

# Blacklist for foreign countries we don't care about getting mail 
from

#
blacklist_from  *.ar
blacklist_from  *.tr
blacklist_from  *.cn
blacklist_from  *.hr
blacklist_from  *.ru
blacklist_from  *.tw
#
#


This all worked just fine when I was using RH9/SA 2.6.  This is on 
Fedora 7 with SA 3.2.2.  I am using procmail to process incoming 
mail, and using ClamAV for virus stuff.


Is there a way I can reset the blacklist?  This is driving me 
nuts.  I don't want to use all_spam_to just to get my mail!


Help!  Please?

Thanks!

Michael




  






You may want to try to turn off bayes_auto_learn or just turn off bayes 
all together.  Maybe your bayes have become corrupt.


-=Aubrey=-

Re: spamassassin 3.2.3 tempfiles

[maillist]

Lanfranco Fabriani wrote:


Dear sirs,

I'm sorry for my bad english, and I don't know if this is the
right mailinglist.

	For a long time that I ran spamassassin 3.1.[4-8] on a 
mail server Linux Box with sendmail 8.13 and mimedefang (I think it is 
the release 2.5.1).  Spamassassin and Mimedefang ran very smoothly.
	Monday I upgraded spamassassin at release 3.2.3. I didn't change 
the configuration file of Mimedefang or the /etc/rc.d/rc.spamd

Apparently SA runs fine, but now in my directory /tmp I find a lot of
temp file:

-rw---   1 defang   defang  12050 Aug 23 11:35 .spamassassin11330XE1csYtmp
-rw---   1 defang   defang  12050 Aug 23 11:35 .spamassassin11330gc0Wdvtmp
-rw---   1 defang   defang  11976 Aug 23 11:40 .spamassassin66725Ogvc3tmp
-rw---   1 defang   defang  12050 Aug 23 11:50 .spamassassin6672BeWqJFtmp
-rw---   1 defang   defang  12050 Aug 23 11:43 .spamassassin6672HeI2jotmp
-rw---   1 defang   defang  12050 Aug 23 11:50 .spamassassin6672JzKozrtmp
-rw---   1 defang   defang  12050 Aug 23 11:43 .spamassassin6672MddHz9tmp
-rw---   1 defang   defang  19100 Aug 23 11:16 .spamassassin6672NpY76Jtmp
-rw---   1 defang   defang  19100 Aug 23 11:16 .spamassassin6672T7OwLltmp

In the maillog I cannot find errors. Mails are delivered at the users and 
mails with score >5 and <15 are delivered in a mailbox for the spam. 
Apparently the system runs fine.


Mimedefang runs as uid defang and group 
defang, spamd runs as mail.


Somebody can help me? I can delete the tempfiles from the cron, but above all, 
I want be sure that I don't loss the mails.


I include the spamassassin -D --lint

Best wishes!

Lanfranco Fabriani
  


I have a similar setup as you.  I looked, and I too have these /tmp 
files.  I looked on the mimedefang maillist, and found this


It's bug 5444. Mimedefang needs to call Mail::SA::Message->finish().

I'll see what I can figure out, and get back with you.

-=Aubrey=-

Re: spamassassin 3.2.3 tempfiles

[maillist]

Lanfranco Fabriani wrote:


Dear sirs,

I'm sorry for my bad english, and I don't know if this is the
right mailinglist.

	For a long time that I ran spamassassin 3.1.[4-8] on a 
mail server Linux Box with sendmail 8.13 and mimedefang (I think it is 
the release 2.5.1).  Spamassassin and Mimedefang ran very smoothly.
	Monday I upgraded spamassassin at release 3.2.3. I didn't change 
the configuration file of Mimedefang or the /etc/rc.d/rc.spamd

Apparently SA runs fine, but now in my directory /tmp I find a lot of
temp file:

-rw---   1 defang   defang  12050 Aug 23 11:35 .spamassassin11330XE1csYtmp
-rw---   1 defang   defang  12050 Aug 23 11:35 .spamassassin11330gc0Wdvtmp
-rw---   1 defang   defang  11976 Aug 23 11:40 .spamassassin66725Ogvc3tmp
-rw---   1 defang   defang  12050 Aug 23 11:50 .spamassassin6672BeWqJFtmp
-rw---   1 defang   defang  12050 Aug 23 11:43 .spamassassin6672HeI2jotmp
-rw---   1 defang   defang  12050 Aug 23 11:50 .spamassassin6672JzKozrtmp
-rw---   1 defang   defang  12050 Aug 23 11:43 .spamassassin6672MddHz9tmp
-rw---   1 defang   defang  19100 Aug 23 11:16 .spamassassin6672NpY76Jtmp
-rw---   1 defang   defang  19100 Aug 23 11:16 .spamassassin6672T7OwLltmp

In the maillog I cannot find errors. Mails are delivered at the users and 
mails with score >5 and <15 are delivered in a mailbox for the spam. 
Apparently the system runs fine.


Mimedefang runs as uid defang and group 
defang, spamd runs as mail.


Somebody can help me? I can delete the tempfiles from the cron, but above all, 
I want be sure that I don't loss the mails.


I include the spamassassin -D --lint

Best wishes!

Lanfranco Fabriani
  


Indeed it's mimedefang.  Upgrade to version 2.63.  Here's the change log:

  * mimedefang-multiplexor.c: Relax the umask when creating the 
unprivileged socket ("-a" command-line option.)
  * mimedefang.c(eom): If we do not have a queue ID yet, try to obtain 
one in eom. This is designed to improve operation with Postfix, which 
does not assign a queue ID until after the first successful RCPT. Based 
on a patch from Henrik Krohns.
  * examples/init-script.in: Added MD_SKIP_BAD_RCPTS init script option 
(suggested by John Nemeth)

  * Remove support for OpenAntivirus. It's a dead product.
  * mimedefang.pl.in(spam_assassin_status): Call $mail->finish() to 
prevent temporary files from accumulating.
  * redhat/mimedefang-init.in: Add configtest routine to check filter 
syntax.



-=Aubrey=-

Re: charter.net

[maillist]

Ray Dzek wrote:

Just as a side note...

I am a charter customer.  I have spoken with their techincal assistance
many times, and at various levels, for myself and on behalf of others I
have tried to assist.  They are by far the most incompetent ISP I have
ever dealt with.  They only have one answer for everything, which is
reboot your computer and your modem.  And god help you if you let them
troubleshoot beyond that.  They make the "Geek Squad" look like computer
savants.  So frankly, this type of brute force solution does not
surprise me in the slightest.

  

-Original Message-
From: Jonn R Taylor [mailto:[EMAIL PROTECTED]
Sent: Friday, August 24, 2007 5:30 AM
To: users@spamassassin.apache.org
Subject: Re: charter.net

Kai Schaetzl wrote:


Matt Kettler wrote on Thu, 23 Aug 2007 22:59:11 -0400:

  

I think it's a brain-dead attempt to counter the image and pdf
spams that have been so popular lately.


It would be nice if they would block their outgoing spam in the same
effective way. They are among the biggest spam sources for us.

Kai

  

Yes, That is very true. Alot of the spam that I see is from
charter.net,
but I do see alot of spoofed address with there name. What even more
interesting is that they block 25 out going. So I am not sure why we
all
see so much spam from them.

Jonn



  


Tell them that you want a job.

-=Aubrey=-

Re: Do procmail and spamassassin violate this "patent"?

[maillist]

Igor Chudov wrote:

Read this jaw dropping article about how someone "patented" what has
been done by procmail for many, many years.

http://informationweek.com/news/showArticle.jhtml?articleID=201802746
  


First of all, how can you sue someone or an organization for something 
like this?  How can you prove any "loss" that needs to be refunded?  I'm 
not claiming to know anything about patients, or big business, or even 
what the article is about (because I didn't read it), but as far as I 
know about suing someone/something, you have to be able to prove how it 
is a loss to you/your company.


Second, how is this related to Spamassassin?  Maybe some of the 
Spamassassin team can comment.  How much worries are there when 
developing Spamassassin, as far as getting sued?



-=Aubrey=-

Re: autolearn=failed

[maillist]

As you want a site-wide Bayes, you also need the "bayes_path"
parameter. What setting do you have for "bayes_path" (note it
isn't a simple directory name).


bayes_path /usr/spamassassin/bayes
bayes_file_mode 0777


OK, is the directory "/usr/spamassassin" writable by the user-ID that
you are running spamd as? What happens if you do a:
   chmod 1777 /usr/spamassassin

and then retest?

Strong suggestion, do -not- put your bayes stuff into a directory
that contains other SA components. Best to have a directory in your 
"/var"

partition just for the bayes stuff.




In my experience, if you want your bayes directory to be 
"/usr/spamassassin/bayes" then you have to add this to your config:


bayes_path /usr/spamassassin/bayes/bayes

-=Aubrey=-

Re: Bayesian filtering not kicking in, but it's trained.

[maillist]

RinkWorks wrote:
I'm trying to run Spam Assassin 3.1.7 as root 
Let me stop you right there.  You cannot run spamd as root.  It drops 
privs, and runs as user "nobody".


/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -d
--pidfile=/var/run/spamd.pid

It would be best to create a spamd user, and start with this:

/usr/sbin/spamd --create-prefs --username=spamd --max-children 5 
--helper-home-dir -d
--pidfile=/var/run/spamd.pid

You can specify a bayes_path in your config, and run sa-learn as root if you'd 
like.


-=Aubrey=-

Re: newbie question about bayesian filter

[maillist]

Miguel wrote:
Dear All, im using SA in a central system wide dedicated filter, so i 
dont have any account in it, the "clean" emails are forwarded to the 
final destination servers.
In this scenario, nobody will be training SA, so, does it make sense 
to use the bayesian filter at all? ,or SA will still use the bayesian 
filter from the day to day spam/ham hit ratios?


Thanks
---
Miguel



I don't know about anyone else, but the bayes system *to me* is the 
bread & butter of spamassassin, and *for me* makes the whole process 
painless.  If I get spam that doesn't score high enough, I run "sa-learn 
--spam /path/to/file" and I never see that spam again.


But then again, I use one server, and have less than 100 users, so doing 
this manually is not a bad idea for me.

Re: FW: List of 700,000 IP addresses of virus infected computers

[maillist]

Luis Hernán Otegui wrote:

2007/9/12, Jon Trulson <[EMAIL PROTECTED]>:
  

On Wed, 12 Sep 2007, Jason Bertoch wrote:



On Tuesday, September 11, 2007 7:07 PM Marc Perkel wrote:

  

The details are a little to complex for this forum ...


OK - had quite a few trolls here who seem to be hostile to my
breakthroughs so I wasn't that motivated to post information.



Is there any chance we can get a moderator on this, please?  This is clearly not
a SA topic and I'm weary of insults, flames, and advertisements from Marc.

  

  FWIW, +1

--
Jon Trulson
mailto:[EMAIL PROTECTED]
#include 
"No Kill I" -Horta




OK, count me in...

  


I'm quite sad to have to agree with most everyone on this list about his 
posts.  They are off topic, and not relevant to Spamassassin.  I do 
however feel sorry for him.  He seems to be lost to his friends.


+1

-=Aubrey=-

Re: Forwarding and spamassassin...

[maillist]

mel goldberg wrote:
I’m new to the list, apologize in advance if I should be posting this 
somewhere else.


I am attempting to SPAM filter and forward from my server to another. 
Spamassassin filters but the server will not forward. Has anyone found 
a way to do this?


You can use mimedefang.

http://www.mimedefang.org/

Re: How to trust my "domain"?

[maillist]

Skip wrote:

Guess this would help:

Using sendmail 8.13.8 with SA 3.2.3

- Skip

  
From: Chris 'Xenon' Hanson [mailto:[EMAIL PROTECTED] 
   Usually you do this with a combination of trusted_networks 
and exclusion in your scanner.



  


You may want to look into mimedefang.  It works well with sendmail, and 
spamassassin, as well as whatever antivirus you may be running.


If you are already running mimedefang, and assuming that your LAN ip 
scheme is 10.0.1., then add this bit to the sub filter_end part of 
mimedefang-filter:


   # stopmyfilter
   sub filter_relay($$$) {
   my ($ip, $name, $helo) = @_;
   if ($ip =~ /10\.0\.1\./)
  {
return('ACCEPT_AND_NO_MORE_FILTERING', "ok");
  }
else
{
  return ('CONTINUE', "ok");
}
   }

-Aubrey

required_score

[maillist]

SpamAssassin version 3.2.3
 running on Perl version 5.8.8
mimedefang version 2.63
sendmail Version 8.14.0

I have been running spamassassin for over 2 years now, and suddenly, the 
required score has changed.  I have it set to 7.0, but it has suddenly 
changed back to the default of 5.0.  I only noticed it today, and 
haven't got a clue as to where it's pulling the required score from.


/etc/mail/spamassassin/local.cf:

require_score 7.0

I am no using any user_prefs anywhere (that I know of).  But just 
in-case I was, I changed all instances of any file called user_prefs to 7.0.


If I run spamc -c < message, I get back
5.5/7.0

if I run spamassassin -t message
I also get back the correct score.

I start spamd as root like this

/usr/bin/spamd -r /var/run/spamd.pid \
-d --username=defang --max-spare=8 --min-children=10 --max-children=45

Any help is appreciated.

-Aubrey

Re: required_score

[maillist]

Jason Bertoch wrote:

On Tuesday, October 30, 2007 5:36 PM maillist wrote:

  

SpamAssassin version 3.2.3
  running on Perl version 5.8.8
mimedefang version 2.63
sendmail Version 8.14.0




Check for either /etc/mail/sa-mimedefang.cf or
/etc/mail/spamassassin/sa-mimedefang.cf



Jason A. Bertoch
Network Administrator
[EMAIL PROTECTED]
ElectroNet Intermedia Consulting
3411 Capital Medical Blvd.
Tallahassee, FL 32308
(V) 850.222.0229 (F) 850.222.8771

  


You were exactly correct.  I upgraded mimedefang a couple of weeks ago.  
I guess that file was overwritten.


Thanks

-Aubrey

Re: StupidFilter

[maillist]

Kenneth Porter wrote:

A teammate called my attention to this interesting project:




The solution we're creating is simple: an open-source filter software
that can detect rampant stupidity in written English. This will be
accomplished with weighted Bayesian or similar analysis and some
rules-based processing, similar to spam detection engines. The primary
challenge inherent in our task is that stupidity is not a binary
distinction, but rather a matter of degree. To this end, we're 
collecting

a ranked corpus of stupid text, gleaned from user comments on public
websites and ranked on a five-point scale.


Might make a good SA plugin.



What would be the difference in assuming that everything is stupid, then 
create a "smartness" filter that only allows good ideas through.  I 
mean, it would be closer to reality that way.


Speaking of that, what ever happened to the idea that someone had a few 
months ago?  It was a new approach to filter email.  The main idea was 
to assume that everything was spam, then build your filter based on 
"good mail" qualities.  Seeing as how my spam/ham ratio is about 100/1, 
it seems more applicable.


-Aubrey

Spam not getting scored ....or something

[maillist]

slackware 11.0
spamassassin version 3.2.3
 running on Perl version 5.8.8
mimedefang 2.63
sendmail 8.14.0

My issue is that it appears that spam is getting through without being 
scanned.  I get a spam message, then run spamassassin -t < message and 
it scores high enough to get marked as spam.  I don't know if it's some 
problem with the milter between sendmail and mimedefang, like a timeout 
or something, or what.


I don't think I get more than 30 messages per minute at peak times, so 
this seems that this wouldn't be the case.  Is anyone else having this 
same issue?


Any help is appreciated
-Aubrey

Re: How to restart the spamassassin in command prompt

[maillist]

Sg wrote:

Hi

  After modifying the configurations and scores should we restart 
the SA. How to start the SA-3.2.3?


--
Sg 


you really should be able to just type in "\usr\bin\spamd" at the 
command prompt, and it will start.  "man spamd" will show you the 
switches involved.



I do this

/usr/bin/spamd \
-r /var/run/spamd.pid \
-d --username=defang \
--max-spare=8 \
--min-children=10 \
--max-children=45

to end it

killall spamd

Anything else is just being fancy.  :)

-Aubrey

Re: Question on focus of Bayes

[maillist]

Theodore Heise schrieb am 09.03.2008 19:15:


Occasionally I get unsolicited bulk e-mail on a topic that is of 
borderline interest to me.  My tendency is to deleted it from my spam 
folder before training the Bayes functions on my spam.  I've 
considered training Bayes on these messages as ham, but I don't know 
if that might have a tendency to lower scores on unsolicited bulk 
e-mail in general.


If this is the case, then why filter mail at all?  What if you miss 
something that you may want?


Seriously though, that's just crazy talk.  If you didn't request the 
mail in some form or fashion, then it's SPAM, bottom-line.  Do I want to 
see real photos of Angelina Jolie nude - hell yeah! - but it's still 
spam, and should be learned as such.


-Aubrey

Different scores

[maillist]

Hi guys,

slackware 11.0
spamassassin version 3.2.5
 running on Perl version 5.8.8
mimedefang version 2.64
sendmail 8.14

   I am getting a lot of spam.  I did some investigating, and it looks 
like I have something set up incorrectly.  If I get a spam message, and 
run it through "spamassassin -t", then it shows that it should be spam, 
but during the process when the mail actually comes in, it is scoring 
much lower.  I have been using spamassassin for 3 years now, and can't 
seem to figure this out.


   I ran spamassassin -D --lint, and see nothing usefull.

When I start spamassassin, I start it like this:
/usr/bin/spamd -r /var/run/spamd.pid \
-d --username=defang --max-spare=8 --min-children=5 --max-children=25

I have been testing this as root, but tried as the user "defang" and get 
the same results.


I don't see anything in my logs that would reflect an error, I'm kind of 
stuck.  Can anyone give any advice?


TIA
-Aubrey

Re: Different scores

[maillist]

Bowie Bailey wrote:

maillist wrote:
  

Hi guys,

slackware 11.0
spamassassin version 3.2.5
  running on Perl version 5.8.8
mimedefang version 2.64
sendmail 8.14

I am getting a lot of spam.  I did some investigating, and it
looks like I have something set up incorrectly.  If I get a spam
message, and run it through "spamassassin -t", then it shows that it
should be spam, but during the process when the mail actually comes
in, it is scoring much lower.  I have been using spamassassin for 3
years now, and can't seem to figure this out.

I ran spamassassin -D --lint, and see nothing usefull.

When I start spamassassin, I start it like this:
/usr/bin/spamd -r /var/run/spamd.pid \
-d --username=defang --max-spare=8 --min-children=5 --max-children=25



Run the message through spamc and see what you get.

$ spamc < test.msg

  


I did, and no matter if I I use the -c flag or not, I get the same as if 
I ran it through spamassassin -t


Another responded with a request for more info.  I posted one small 
message here...


http://emailacs.com/temp/J872209005Tq/7.txt

The test score for that message was 6.269 ( 7 is required ) and the 
tests that it hit were:

BAYES_80,DATE_IN_PAST_06_12,HS_BOBAX_MID_2,RDNS_NONE


...however, when I manually run it through either spamc -c < 7.txt or 
spamassassin -t 7.txt, it scores the following...


Content analysis details:   (16.4 points, 7.0 required)

pts rule name  description
 -- 
--

3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
   [190.97.76.59 listed in zen.spamhaus.org]
2.3 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
0.9 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP 
address

   [190.97.76.59 listed in dnsbl.sorbs.net]
8.0 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 0.9955]
1.0 HS_BOBAX_MID_2 Bobax? Message-Id: 
<[EMAIL PROTECTED]>

1.1 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
0.1 RDNS_DYNAMIC   Delivered to trusted network by host with
   dynamic-looking rDNS

...sorry for the crappy page breaks.

TIA
-Aubrey

Re: Different scores

[maillist]

Karsten Bräckelmann wrote:


RBL hits. They most likely have been updated since the original scan.
Since you get this result with a subsequent spamc run, too, we pretty
much can rule out permanent DNS failures or local tests option. Still, a
(potentially local) temporary DNS issue might explain it.



I feel like a complete ass.  After reading this, I remembered that once 
I suspected that the DNS queries were taking to long, and decided to do 
some testing, so I turned off the RBL checks, but I did this in 
mimedefang's config file.  I re-enabled it, and will probably find that 
my problem is gone now.


As always, many thanks for this group, and all it's help

-Aubrey

Re: Hi, help with spamc and sa-learn

[maillist]

Exal de Jesus Garcia Carrillo wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi, I have already install spamassassin locally on my machine, now, I
want tell to spamassassin which message is spam and which isn't, I have
read about spamc and sa-learn, but how is you use exactly?, I mean I
read the manpage and show me the usage: "spamc [options] < message"
but... what does this mean, which message?, in some file may be?
 and sa-learn?, which is better?



thanks.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFkxbgoZmxoVJRtGIRAo+AAJ9fVhD9XzETIKc0oUS4xUTjA7xl3QCcC8vn
KkZE/OLo2ckp0LkyJhjv1d4=
=Bwp8
-END PGP SIGNATURE-

  
To begin with, you are looking in the wrong man pages.  You should look 
in the man pages for sa-learn.  There's a lot there, and it's all pretty 
important that you fully understand it, and feel comfortable with it, 
it's not hard


It all depends on what format your in-box is using.  If it is mbox 
format (Mostly used I believe), then the proper way to run sa-learn to 
learn spam is to first of all, get all of your spam messages into one 
single file, mbox style.  Lets pretend that the file you end up with is 
named /var/spool/mail/spam.  In that case, you would run:


sa-learn --spam --mbox /var/spool/mail/spam

If you want to learn ham (good email), and you have a file in that same 
directory called "ham", then run:


sa-learn --ham --mbox /var/spool/mail/ham.

-=Aubrey=-

Re: Precleaning SA market spam from Mbox?

[maillist]

JamesDR wrote:

David Flanigan wrote:

James,
Thanks for the reply. I was not planing on double scanning, the BCC 
idea is basically the same, though I would be doing it vial the 
/etc/aliases mapping to make it transparent. I am running Sendmail as 
the MTA.
The real question is how do to the spam check, either during or after 
the messages hit the PDA mailbox. That is where the script or other 
appropriate tool would come in. Advice on such a tool would be 
appreciated. 

Can you not use sendmail's milter for this?

-=Aubrey=-

Re: "Present" slipping through - same as "insider information"

[maillist]

Vernon Webb wrote:
I have a ton of these emails getting through that have the sender's name and the word 
Present getting through and they are the same as the insider information from last 
week. I have MailScanner, SpamAssassin, SARE, Botnet, Razor2, Pyzor, ClamAv and f-prot 
all installed and as far as I know working properly. Anyone else having this issue?


Thanks

  
I do not have that issue.  Are you using sa-learn to learn the messages 
as spam?


-=Aubrey=-

Re: errors with spamassain in windows

[maillist]

Guido van Brakel wrote:

Dear Sir/Madam,


Im trying to install SpamAssasin under Windows,I installed perl and nmake.
But I'm getting these errors:

---
C:\Perl\bin\perl.exe version.h.pl
version.h.pl: creating version.h
copy config.h.win config.h
copy spamc.h.win spamc.h
C:\Perl\bin\perl.exe ..\build\preprocessor -Mvars -iMakefile.win -oMakefile
cd ..
NMAKE -f spamc/Makefile spamc/spamc.exe

Microsoft (R) Program Maintenance Utility Version 1.50
Copyright (c) Microsoft Corp 1988-94. All rights reserved.

cd spamc
NMAKE spamc.exe

Microsoft (R) Program Maintenance Utility Version 1.50
Copyright (c) Microsoft Corp 1988-94. All rights reserved.

cl /DWIN32 /W4 spamc.c replace\getopt.c libspamc.c utils.c ws2_32.lib
'cl' is not recognized as an internal or external command,
operable program or batch file.
NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x1'
Stop.
NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x2'
Stop.
NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x2'
Stop.

C:\Downloads\Mail-SpamAssassin-3.1.7\Mail-SpamAssassin-3.1.7>
C:\Downloads\Mail-SpamAssassin-3.1.7\Mail-SpamAssassin-3.1.7>spamassassin -D
< sample-spam
.txt
'spamassassin' is not recognized as an internal or external command,
operable program or batch file.

C:\Downloads\Mail-SpamAssassin-3.1.7\Mail-SpamAssassin-3.1.7>NMAKe

Microsoft (R) Program Maintenance Utility Version 1.50
Copyright (c) Microsoft Corp 1988-94. All rights reserved.

NMAKE -f spamc/Makefile spamc/spamc.exe

Microsoft (R) Program Maintenance Utility Version 1.50
Copyright (c) Microsoft Corp 1988-94. All rights reserved.

cd spamc
NMAKE spamc.exe

Microsoft (R) Program Maintenance Utility Version 1.50
Copyright (c) Microsoft Corp 1988-94. All rights reserved.

cl /DWIN32 /W4 spamc.c replace\getopt.c libspamc.c utils.c ws2_32.lib
'cl' is not recognized as an internal or external command,
operable program or batch file.
NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x1'
Stop.
NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x2'
Stop.
NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x2'
Stop.

C:\Downloads\Mail-SpamAssassin-3.1.7\Mail-SpamAssassin-3.1.7>NMAKE -f
spamc/Makefile spamc
/spamc.exe

Microsoft (R) Program Maintenance Utility Version 1.50
Copyright (c) Microsoft Corp 1988-94. All rights reserved.

cd spamc
NMAKE spamc.exe

Microsoft (R) Program Maintenance Utility Version 1.50
Copyright (c) Microsoft Corp 1988-94. All rights reserved.

cl /DWIN32 /W4 spamc.c replace\getopt.c libspamc.c utils.c ws2_32.lib
'cl' is not recognized as an internal or external command,
operable program or batch file.
NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x1'
Stop.
NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x2'
Stop.

C:\Downloads\Mail-SpamAssassin-3.1.7\Mail-SpamAssassin-3.1.7>cd spamc

C:\Downloads\Mail-SpamAssassin-3.1.7\Mail-SpamAssassin-3.1.7\spamc>NMAKE
spamc.exe

Microsoft (R) Program Maintenance Utility Version 1.50
Copyright (c) Microsoft Corp 1988-94. All rights reserved.

cl /DWIN32 /W4 spamc.c replace\getopt.c libspamc.c utils.c ws2_32.lib
'cl' is not recognized as an internal or external command,
operable program or batch file.
NMAKE : fatal error U1077: 'C:\WINDOWS\system32\cmd.exe' : return code '0x1'
Stop.

C:\Downloads\Mail-SpamAssassin-3.1.7\Mail-SpamAssassin-3.1.7\spamc>

Do you how I can fix it or how I let it work.

Yours Sincerely,

Guido


  

What is this, "Windows", you speak of?  Isn't it a reboot tool for PC's?

-=Aubrey=-

Re: Any anti-spam solution against outgoing mail?

[maillist]

Ian Eiloart wrote:



--On 26 December 2006 05:53:12 + Monty Ree <[EMAIL PROTECTED]> 
wrote:



Hello, list.

I have used well SA with procmail well against incoming mail.
But there are lots of outgoing spam-mails using web programs or using
sendmail at my server.
(There are several domains are hosted at the server.)
 So is there any program like spamassassin which can filter against
outgoing spam mail?
or any program which can limit sending spam-mail?

Please recommend any for me..

my system is linux and sendmail.




Mimedefang scans outgoing messages, and uses spamassassin.  
http://www.mimedefang.org/


-=Aubrey=-

Re: spamassassin and spamc calculate different results

[maillist]

Thomas Schlosser wrote:

Hi,

I have a SUSE 9.3 mailserver with Postfix and SA 3.1.7 running.

Unfortunately the commands (run as root)
spamassassin  http://www.linuxforen.de/forums/showthread.php?t=229016
(including the scan reports!)

One source could be the associated user, but when trying to run either
spamd/spamc or spamassassin with different users (my account, root,
nobody, spamfilt [which is the dummy account to run spamd]) no result
matches the plain spamassassin call as root.
I have no user specific prefs (that I know of). I started to build a
Bayes-DB the last days (which seems to be found under user "spamfilt).
I even tried to run spamd with -c or with -x.

Any hints for me, where I can look after? Any informations I could 
provide?


spamd:
/usr/local/bin/spamd -d -c -u spamfilt
--configpath=/usr/local/share/spamassassin
--siteconfigpath=/etc/mail/spamassassin -r /var/run/spamd.pid
local.cf:
rewrite_header Subject SPAM(_SCORE_)
report_safe 1
use_bayes 1
bayes_auto_learn 1

Thanks in andvance!
Thomas

I had the same issue.  I am willing to bet that it is the bayes that is 
not being used by spamc.  If so, this is due to the location of the 
bayes_path in your config file.  Make sure that you specify a place for 
that.  You may need to copy /root/.spamassassin/bayes_* to another location.


For example, if you were to stick those files in 
/etc/mail/spamassassin/bayes/, then in your config file, put this


bayes_path /etc/mail/spamassassin/bayes/bayes

Yes, the bayes on the end is correct.  It seems like it should be 
bayes_path /etc/mail/spamassassin/bayes/bayes* or something like that, 
but it isn't.


-=Aubrey=-

Re: how filter messages by subject

[maillist]

Kurt Buff wrote:

Missed the beginning of this conversation.

If it's about 'naughty' words, then I've got a word for you:

  Scunthorpe

It's a small town in the UK, and their local government had almost no
incoming mail when they implemented a naive naughty word filter, until they
figured it out.

Heh.


Kurt
  


But you can use:

body PROFANITY_RULE/\bcunt\b/i
score PROFANITY_RULE   15.0
describe PROFANITY_RULENaughty naughty word found in 
message


-=Aubrey=-

Re: Training Bayesian Filter

[maillist]

[EMAIL PROTECTED] wrote:

Running spamassassin 3.0 and I'm invoking it through amavisd. When I train
the spamassassin using sa-learn for ham and spam respectively, it seems to
only work for the ham not the spam. The command runs fine, but spam e-mail
that I trained spamassassin with still show up untagged as spam. The ham
e-mail that I trained spamassassin with work fine and they don't get
tagged as spam anymore.

Running spamassassin under Mandriva
2006 Linux.

Your help would be appreciated. 
This depends on how your server is set up.  Are you using mbox style 
in-boxes?


If so, make sure that you're using the --mbox switch along with the 
--spam or --ham switches.


-=Aubrey=-

Re: White Listing

[maillist]

Bret Miller wrote:

I am looking for an easy way for my spamassassin to relearn messages
marked as spam that users would like to get.  Would it be 
safe and avoid

bayesian poisoning if I were to setup an email box such as
[EMAIL PROTECTED] and have users forward nonspam emails to this email
address and then learn it as ham?



There was a script posted a while back as an example of how you could
detach "forward as attachment" messages into a folder for learning. I
don't remember the author, but I'm reposting the script since it could
be useful here. 


WARNING: lines may wrap
_

#!/usr/bin/perl

use strict;
use warnings;

my @message = ;
my $path = "/tmp/spam/";

use Mail::SpamAssassin::Message;
use Data::UUID;

my $msg = Mail::SpamAssassin::Message->new(
 {
   'message' => [EMAIL PROTECTED],
 }
) || die "Message error?";

foreach my $p ($msg->find_parts(qr/^message\b/i, 0)) {
 eval {
no warnings ;
my $type = $p->{'type'};
my $ug = new Data::UUID;
my $uuid1 = $ug->create_str();
my $attachname = $path . $uuid1 . ".eml";
open OUT, ">", "$attachname" || die "Can't write file
$attachname:$!";
binmode OUT;
print OUT $p->decode();
 };
}
__END__





  
There is a script that ships with spamassassin, it's called "mboxsplit", 
and it rocks.  It is in the tools directory.  It breaks the mbox into 
files named 1, 2, 3, 4, 5.  It rocks.


-=Aubrey=-

Re: train forwarded messages on local SA server

[maillist]

R Lists06 wrote:

Is it ok to sa-learn train forwarded messages that end up in my local
account mailboxes from accounts on remote servers (out of my admin control)
that are spam?

 - rh

--
Robert - Abba Communications
   Computer & Internet Services
 (509) 624-7159 - www.abbacomm.net



  
I would think so, as long as you are able to train both HAM and SPAM 
from that forwarded domain.  I have this same situation myself, and it's 
for the owner of the company. 


-=Aubrey=-

Re: True spam getting really low Bayesian points

[maillist]

Kim Christensen wrote:

Hey list,

I've recently started training our bayesian filter with spam/ham from my
personal mailbox, to prepare for live usage on our customer accounts.

% sa-learn --dump magic
...
0.000  0340  0  non-token data: nspam
0.000  0475  0  non-token data: nham
0.000  0  53404  0  non-token data: ntokens
...

So far so good, and spamd is actually using the bayesian db when
examining incoming mails. However, I find that a few of the legit ham 
(not a majority) mails get unusually high bayesian points, while some

of the real spam (which gets scored as spam by sa) often get bayesian
points < 1. 


Now, I'm sure I haven't trained the database with wrong messages. Is it
a good idea to continue feeding sa-learn with example spam and ham until
it reaches a few thousands messages, before relying on the results?

I would think my current amount is sufficient, but I guess something's
wrong with this picture :-)


Best regards
  
Run spamassassin --test-mode on the messages that are scoring high and 
low.  See if they are actually running through any BAYES_* tests.  I'm 
not 100% sure but I think that by default, the bayes do not even begin 
until you have 500 trained messages of each spam and ham.


You can of course get around this by setting bayes_min_ham_num  and  
bayes_min_spam_num in your local.cf file.


-=Aubrey=-

Re: True spam getting really low Bayesian points

[maillist]

maillist wrote:

Kim Christensen wrote:

Hey list,

I've recently started training our bayesian filter with spam/ham from my
personal mailbox, to prepare for live usage on our customer accounts.

% sa-learn --dump magic
...
0.000  0340  0  non-token data: nspam
0.000  0475  0  non-token data: nham
0.000  0  53404  0  non-token data: ntokens
...

So far so good, and spamd is actually using the bayesian db when
examining incoming mails. However, I find that a few of the legit ham 
(not a majority) mails get unusually high bayesian points, while some

of the real spam (which gets scored as spam by sa) often get bayesian
points < 1.
Now, I'm sure I haven't trained the database with wrong messages. Is it
a good idea to continue feeding sa-learn with example spam and ham until
it reaches a few thousands messages, before relying on the results?

I would think my current amount is sufficient, but I guess something's
wrong with this picture :-)


Best regards
  
Run spamassassin --test-mode on the messages that are scoring high and 
low.  See if they are actually running through any BAYES_* tests.  I'm 
not 100% sure but I think that by default, the bayes do not even begin 
until you have 500 trained messages of each spam and ham.


You can of course get around this by setting bayes_min_ham_num  and  
bayes_min_spam_num in your local.cf file.


-=Aubrey=-


The default for 3.* is 200 messages for each.  Sorry dude.

-=Aubrey=-

Re: spamc using different perl

[maillist]

Daryl C. W. O'Shea wrote:

Dhaval Patel wrote:
I am running a Debian stable system and have perl 5.8.4 installed 
from the Debian packages.


I had a problem with the Net::DNS module a while back and upgrade 
perl to 5.8.8 using
CPAN. This upgrade installed perl 5.8.8 as the default perl version 
system wide.


Unfortunately Debconf is not part of CPAN, so I cannot install it in 
5.8.8. Because of

this, certain Debian utilities will not work.

Is there anyway to tell spamc to use perl 5.8.8 and leave the rest of 
the system to use

the Debian 5.8.4?

Both versions are currently on the system. /usr/bin has perl5.8.4 and 
perl5.8.8

binaries. Currently /usr/bin/perl is the 5.8.8 binary for spamassassin.

Will changing the top line of /usr/bin/spamassassin be all that is 
needed for spamc?


spamc couldn't care less what version of Perl is on your system since 
it's written in C.


All the other programs that ship with SA (spamassassin, spamd, 
sa-update, etc) are written in Perl.  If you want those programs to 
use a different perl (and I would suggest they all use the same perl), 
yeah, you can change the shebang line to point at a different perl.



Daryl

I would first like to thank Daryl for properly using the phrase, 
"...couldn't care less".  To many people today say, "I could care less", 
which makes me want to pull their face off.


Dhaval,

   I have never been able to successfully upgrade Perl, and not have at 
least a few apps bomb.  I think you can edit the file /usr/sbin/spamd.  
Change the first line #!/usr/bin/perlX.X.X -T -w to whatever version you 
have upgraded to.


I wish I could be more help.

-=Aubrey=-

Re: spamc using different perl

[maillist]

Matthew Bickerton wrote:

I am having a problem with the Net::DNS module. It just hangs up when trying
to resolve a domain to get the TXT data for SPF tests in spanassassin. If I
try to reinstall the module it fail the make test. How did you solve the
problem?

Matthew

-Original Message-
From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] 
Sent: 30 January 2007 19:41

To: Dhaval Patel
Cc: users@spamassassin.apache.org
Subject: Re: spamc using different perl

Dhaval Patel wrote:
  

I am running a Debian stable system and have perl 5.8.4 installed from the


Debian packages.
  

I had a problem with the Net::DNS module a while back and upgrade perl to


5.8.8 using
  

CPAN. This upgrade installed perl 5.8.8 as the default perl version system


wide.
  

Unfortunately Debconf is not part of CPAN, so I cannot install it in


5.8.8. Because of
  

this, certain Debian utilities will not work.

Is there anyway to tell spamc to use perl 5.8.8 and leave the rest of the


system to use
  

the Debian 5.8.4?

Both versions are currently on the system. /usr/bin has perl5.8.4 and


perl5.8.8
  

binaries. Currently /usr/bin/perl is the 5.8.8 binary for spamassassin.

Will changing the top line of /usr/bin/spamassassin be all that is needed


for spamc?

spamc couldn't care less what version of Perl is on your system since 
it's written in C.


All the other programs that ship with SA (spamassassin, spamd, 
sa-update, etc) are written in Perl.  If you want those programs to use 
a different perl (and I would suggest they all use the same perl), yeah, 
you can change the shebang line to point at a different perl.



Daryl

  
In my experiences with install from scratch, there is an order in which 
the perl modules need to be installed in.  here is the order I found 
best


Digest::SHA1

HTML::Parser

libwww-perl-5.805
  needs - HTML::Tagset

Net::DNS
needs - Digest::HMAC_MD5
   Net::IP
   IO::Socket::INET6
  needs -  Socket6-0.19

Mail::SPF::Query
   needs - Net::CIDR::Lite
   Sys::Hostname::Long
   URI::Escape

IP::Country

Razor2
razor-agents-sdk-2.07

Archive::Tar
   needs - IO::Zlib
   Compress-Zlib-1.41

Net::Ident

IO::Socket::SSL

LWP::UserAgent

HTTP::Date
-

I hope I have this right  :/


-=Aubrey=-

Re: about traing bayes method.

[maillist]

Matt Kettler wrote:
> Monty Ree wrote:
>   
>> Hello, list.
>>
>> I would like to ask some about bayes.
>>
>> If I have recevied ham mail which written ***SPAM***, So in order to
>> train bayes this mail with sa-learn to ham, I forwarded this mail
>> using outlook or outlook express to [EMAIL PROTECTED] and this mail would
>> be saved at /var/spool/mail/ham.
>>
>> and if I execute like this, this would be meaningful or meaningless?
>> 
> Meaningless. Forwarding the message created a new, completely different,
> message, at least from a bayes perspective. It has new headers, and all
> the mime sections were likely reformatted and re-encoded to outlook's
> liking. While there's a lot of visual similarity when rendered by
> outlook, the raw message is quite different.
>   
>> # sa-learn --ham /var/spool/mail/ham
>>
>> If meaningless, Any good solution which like this?
>> 
> I'm no outlook expert, but what you're looking for is a way to extract
> the original message, with its original headers and mime sections.
>
>   
I think one quick and easy way to accomplish this is to make your
outlook clients leave a copy on the server. When they report a spam
message, and you want to learn it as such, go to the server, and learn
it either from their inbox directly, or copy it "as is" to another file,
and learn that one. This is by no means a long-term way to deal with
this, but it's what I did/do.

-=Aubrey=-

I'm getting bounce-backs

[maillist]

Not every time I respond, but sometimes, when I reply to this maillist, 
I get a bounce-back that starts off like this:


Hi. This is the qmail-send program at apache.org.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.



:
ezmlm-send: fatal: message already has a Mailing-List header (maybe I should be 
a sublist) (#5.7.2)
ezmlm-gate: fatal: fatal error from child

--- Below this line is a copy of the message.


SNIP




When I reply, I choose to "reply to all".  Should I just choose "reply" 
instead?



-=Aubrey=-

Re: Training Bayes ham messages when they are sent out of the server

[maillist]

Philip Seccombe wrote:


 

Does anyone have any ideas how I can get the emails back on the 
server, or keep a copy on the server to create a bayes database on?


I thought of forwarding emails back, but then its a forwarded email 
and not the actual one which will mess up the database.


I've no idea how to do this with Qmail, but you could possibly forward a 
copy of all emails from those users to another user, say: 
"[EMAIL PROTECTED]", and learn the messages that way.


 

The other question I had was regarding setting up squirrelmail for 
releasing emails. I've just butchered the template of squirrelmail to 
look like a spam filter release but its far from ideal, does anyone 
know of any templates for squirrelmail or have they developed any?


I'm not sure what you mean to set up squirrelmail  for "releasing 
emails".  If you mean to report as spam, or ham, they do have pluggins 
for that here, 
http://www.squirrelmail.org/plugins_category.php?category_id=3



-=Aubrey=-

Re: Spamassassin does block some email

[maillist]

Rocco Scappatura wrote:

There has been quite a bit of discussion of these spams recently.

See the current "TVD_SILLY_URI_OBFU" thread.



I will do..

Thanks,

rocsca

  

I feel that, that thread is being watched by many.  Even spammers.

I'm new, but I think it's interesting how there were a few rules that 
were shared among the users here, and the spam has been able to adjust 
according to those rules only.  It is specific to that spam type.  
Perhaps these things would be better handled outside of our discussions, 
by the spamassassin team?


Again, I'm new here, and this has surely already been an issue in the 
past, and handled accordingly.  Can anyone correct me if I'm wrong, please?


-=Aubrey=-

config issue

[maillist]

OS - slackware 11.0
# spamd -V
SpamAssassin Server version 3.1.7
 running on Perl 5.8.8
 with SSL support (IO::Socket::SSL 1.02)
sendmail Version 8.13.8  -  MBOX format
mimedefang version 2.58

A few spam messages that are all pretty similar are getting through my 
server.  I don't know why, because they are scoring high enough to get 
discarded, even when I run both spamc -c < message and spamassassin 
--test-mode message.  They both score the same.  This just suddenly 
started happening after I ran sa-update -D.


Surely there is some config I have upset, but I'm out of answers.  I run 
spamassassin -D --lint, and I see nothing alarming.  My threshold is set 
to 7.0, and these messages are scoring anywhere from 7.2 - 8.7 depending 
on Razor2 detection.  I have bayes turned on, but not autolearn.  These 
messages are getting caught by the bayes mostly:


/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
Content analysis details:   (7.2 points, 7.0 required)

pts rule name  description
 -- 
--

-1.8 ALL_TRUSTEDPassed through trusted hosts only via SMTP
8.0 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 1.]
1.0 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Content analysis details:   (8.7 points, 7.0 required)

pts rule name  description
 -- 
--

-1.8 ALL_TRUSTEDPassed through trusted hosts only via SMTP
8.0 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 0.9982]
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
   above 50%
   [cf:  54]
0.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
   [cf:  54]

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/


but these messages are the only ones like this.  All others are 
being filtered fine.


-=Aubrey=-

quick question

[maillist]

Content analysis details:   (8.6 points, 7.0 required)

pts rule name  description
 -- 
--

2.4 SPF_HELO_SOFTFAIL  SPF: HELO does not match SPF record (softfail)
[SPF failed: Please see 
http://www.openspf.org/why.html?sender=janis.com&ip=212.11.121.229&receiver=mail.emailacs.com]

-1.8 ALL_TRUSTEDPassed through trusted hosts only via SMTP
8.0 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 0.9970]

Is there any reason that such a message with the above score would make 
it to an in-box?  All of my users are getting these messages a few times 
a day.  Other than that, all other spam is correctly moved to a spamdrop 
in-box.  I sent a question in the other day about this, and never heard 
anything back from anyone.  I'm still puzzled by this.  I don't have any 
sort of whitelist setup.

Re: quick question

[maillist]

Magnus Holmgren wrote:

On Wednesday 14 February 2007 14:55, maillist wrote:
  

Content analysis details:   (8.6 points, 7.0 required)

 pts rule name  description
 --
--
 2.4 SPF_HELO_SOFTFAIL  SPF: HELO does not match SPF record (softfail)
[SPF failed: Please see
http://www.openspf.org/why.html?sender=janis.com&ip=212.11.121.229&receiver
=mail.emailacs.com] -1.8 ALL_TRUSTEDPassed through trusted hosts
only via SMTP 8.0 BAYES_99   BODY: Bayesian spam probability is
99 to 100% [score: 0.9970]

Is there any reason that such a message with the above score would make
it to an in-box?  



That depends entirely on whatever moves the spam to the spamdrop in-box. What 
MDA do you use and what criteria is it configured to make its decisions upon?
  

Sorry I should have giving my config.  Here it is:
  
   OS - slackware 11.0  
   SpamAssassin Server version 3.1.7

  running on Perl 5.8.8
  with SSL support (IO::Socket::SSL 1.02)
   sendmail Version 8.13.8  -  MBOX format
   mimedefang version 2.58

I have mimedefang set to move all spam to a spamdrop in-box.
  
All of my users are getting these messages a few times 
a day.  Other than that, all other spam is correctly moved to a spamdrop

in-box.  I sent a question in the other day about this, and never heard
anything back from anyone.  I'm still puzzled by this.  I don't have any
sort of whitelist setup.



Does any of the correctly moved spam have a lower score than this?
  



Yes.  Just glancing at the spamdrop in-box, I see 1 message that scored 
8 and that was only due to BAYES_99


Content analysis details:   (8.0 points, 7.0 required)

pts rule name  description
 -- 
--

0.0 HTML_MESSAGE   BODY: HTML included in message
8.0 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 1.]

It's baffling.

Re: spamassassin beginner question

[maillist]

Michael Connors wrote:

Hi,
I have been getting a lot of spam messages as indicated in the content 
preview below.


"""
Content preview:  ENERGY COMPANY ALERT!! Search for: UTEVCurrent price:
  $0.016 Market: bullish!!! TRADE SMART AND WIN WITH US NOW!! [...]

Content analysis details:   (7.1 points, 5.0 required)

 pts rule name  description
 -- 
--

 0.1 RCVD_BY_IP Received by mail server with no name
 1.7 SARE_MLB_Stock1BODY: SARE_MLB_Stock1
 1.7 SARE_PROLOSTOCK_SYM3   BODY: Last week's hot stock scam
 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.1 HTML_FONT_BIG  BODY: HTML tag for a big font size
 3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.
"""

This sort of spam still ends up in my inbox.

Is the [score: 1.] the total spam score for this email?
I find it strange that it these get through as they are the first 
non-image spams to get through more than a couple of times.


Are there other rules that this spam should be hitting?
--
Michael Connors
Is this always happening with spam messages, or do some go to a drop-box 
of some sort?  What all do you run along with SA to get the message 
discarded? 

I use mimedefang, and am having the same sort of problem, but it is only 
a few messages that get through.

Re: to expung

[maillist]

Bahram Fahnestock wrote:

Hi,

Save over 50% on your medication

http://www.ledrx .com

Remove space in the above link



Christmas, but... well, I expect youre all going to want to stay at
Hogwarts, what with... one thing and another. 
Mum!  said Ron irritably. What dyou three know that we dont? 



  
You know, this is the exact email that I get, that gets through, even 
though it scores high enough to get filtered.  Anybody else getting this?

Re: spamassassin beginner question

[maillist]

Michael Connors wrote:


On 14/02/07, *maillist* <[EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>> wrote:


Michael Connors wrote:
> Hi,
> I have been getting a lot of spam messages as indicated in the
content
> preview below.
>
> """
> Content preview:  ENERGY COMPANY ALERT!! Search for: UTEVCurrent
price:
>   $0.016 Market: bullish!!! TRADE SMART AND WIN WITH US NOW!! [...]
>
> Content analysis details:   (7.1 points, 5.0 required)
>
>  pts rule name  description
>  --
> --
>  0.1 RCVD_BY_IP Received by mail server with no name
>  1.7 SARE_MLB_Stock1BODY: SARE_MLB_Stock1
>  1.7 SARE_PROLOSTOCK_SYM3   BODY: Last week's hot stock scam
>  0.1 HTML_50_60 BODY: Message is 50% to 60% HTML
>  0.0 HTML_MESSAGE   BODY: HTML included in message
>  0.1 HTML_FONT_BIG  BODY: HTML tag for a big font size
>  3.5 BAYES_99   BODY: Bayesian spam probability is
99 to 100%
> [score: 1.]
>
> The original message was not completely plain text, and may be
unsafe to
> open with some email clients; in particular, it may contain a virus,
> or confirm that your address can receive spam.  If you wish to view
> it, it may be safer to save it to a file and open it with an editor.
> """
>
> This sort of spam still ends up in my inbox.
>
> Is the [score: 1.] the total spam score for this email?
> I find it strange that it these get through as they are the first
> non-image spams to get through more than a couple of times.
>
> Are there other rules that this spam should be hitting?
> --
> Michael Connors
Is this always happening with spam messages, or do some go to a
drop-box
of some sort?  What all do you run along with SA to get the message
discarded?

I use mimedefang, and am having the same sort of problem, but it
is only
a few messages that get through.


Hi,
I tag them with a spam score and anything under 10 gets to the mail 
box, anything over 5 arrives with {spam x} in the subject line, these 
ones however repeatedly get through and have spam scores like this in 
the mesage header.


-MailScanner-SpamCheck: not spam, SpamAssassin (score=1.749,
required 4, BAYES_50 0.00, HTML_50_60 0.09, HTML_MESSAGE 0.00,
SARE_PROLOSTOCK_SYM3 1.66)
Even though they appear to be caught when I run them through at the 
command line.


I dont seam to have a problem with other types of spam.

--
Michael Connors
It depends on how you are testing from the command line.  If you run 
"spamc -c < message" then this should give you the actual score, in case 
you have any config issues.  Running "spamassassin --test-mode message" 
will give you "what_should_be" the score.  The 2 should be the same, 
though generally, some people will be using ~/.spamassassin bayes or 
configs, and try to adjust settings in other places, that they forget to 
define in /etc/mail/spamassassin/local.cf.

Re: Spam not getting scanned

[maillist]

Dave Williss wrote:
I've started recieving a few spams a day that aren't even getting 
scanned by Spamassassin.  Or at least they don't get any X-Spam 
headers added on.


The messages in question all have forged senders to make them look 
like they came from an existing user within my own domain even though 
the IP they came from is not in our domain and doesn't have any 
reverse DNS.  Here are the Received headers:


Received: by tnt.microimages.com (Postfix, from userid 65534)id 
F0382681B5; Wed, 14 Feb 2007 18:55:09 -0600 (CST)
Received: from 216.229.5.227 (unknown [218.249.51.90])by 
tnt.microimages.com (Postfix) with SMTP id 6676F681A4;Wed, 14 Feb 
2007 18:54:52 -0600 (CST)
X-Originating-IP: 136.116.127.78 by smtp.218.249.51.90;  Wed, 14 Feb 
2007 19:50:27 -0500


Is there some Spamassassin rule that may be auto-whitelisting this 
(because the forged sender is an actual account), or is Postfix 
confused into thinking that the sender is local and just not running 
it through SA? Now that I think about it, I'm guessing it's Postfix.


I am having the same issue.  I upgraded to SA 3.1.8 2 days ago, and 
didn't get any spam like that yesterday.  But today I am getting a few 
more.  If I pass the messages through SA, they score high enough to get 
booted.  I've been having this issue for about a week now.  If you find 
anything out, please post.


-=Aubrey=-

Re: veryfing the score of a message

[maillist]

Rocco Scappatura wrote:

Hello,

I would like to verify the score of a message that sendmail left in
queue for some reason.

Normally, I have two messages in queue directory:

- qfX
- dfX

Could I 'cat' qfX and dfX in a temp file 'tmp'

and

than calculate the score so:

spamassassin -t < tmp

?

Or I will get a wrong score?

TIA,

rocsca

  
I believe that sendmail doesn't have the headers assembled at that 
point.  So, if you do what you mentioned above, then you will not get 
the correct score.


-=Aubrey=-

Re: Whitelist scoring question

[maillist]

Mark Adams wrote:

Hi All,

Quick questions regarding whitelisting. I have read that whitelisting
applies -50 points whether using whitelist_from or whitelist_from_rcvd.

My question is can this amount be altered?

Thanks for any help.

Regards,
Mark

  

Yes edit your /etc/mail/spamassassin/local.cf file.  Add the following...

score USER_IN_WHITELIST -XXX  (Where -XXX is the score that you wish)

Remember to always run spamassassin --lint

restart spamassassin.

-=Aubrey=-

Re: Do you experience problems with 3.1.8?

[maillist]

Michał Jęczalik wrote:

Hello,

after upgrading from 3.1.7 I have numerous problems with my spamd. It 
hangs up during high load and become permamently unresponsive. 
According to advices I have found on devel list, I'm using 
--round-robin now and it hangs less often. But now I have a lot of 
~/.spamassassin/bayes_toks.expire[pid] lockfiles, that don't disappear 
and quickly foul user's quota. It's interesting that on another host 
with similar load conditions everything works ok. Anyway - am I the 
only one experiencing these problems? There's no rumour on the devel 
list, there's no rumour here - what's wrong? :) In this situation 
3.1.8 is quite unusable for me and I'm thinking about downgrade. The 
only reason I have not done it already is that I'm not sure if this is 
a simple task - my users won't stand another spamassassin blackout, 
after numerous spam floods due to those hang-ups in past couple of 
days. ;-)

How did you upgrade?
What OS?
What MDA?
When you say "hangs" what do you mean?

Re: Do you experience problems with 3.1.8?

[maillist]

Michał Jęczalik wrote:

On Mon, 12 Mar 2007, maillist wrote:


Michał Jęczalik wrote:

Hello,

after upgrading from 3.1.7 I have numerous problems with my spamd. 
It hangs up during high load and become permamently unresponsive. 
According to advices I have found on devel list, I'm using 
--round-robin now and it hangs less often. But now I have a lot of 
~/.spamassassin/bayes_toks.expire[pid] lockfiles, that don't 
disappear and quickly foul user's quota. It's interesting that on 
another host with similar load conditions everything works ok. 
Anyway - am I the only one experiencing these problems? There's no 
rumour on the devel list, there's no rumour here - what's wrong? :) 
In this situation 3.1.8 is quite unusable for me and I'm thinking 
about downgrade. The only reason I have not done it already is that 
I'm not sure if this is a simple task - my users won't stand another 
spamassassin blackout, after numerous spam floods due to those 
hang-ups in past couple of days. ;-)

How did you upgrade?


perl Makefile.PL etc ;-)


What OS?


Linux 2.4


What MDA?


It is completly unrelated to MDA. I invoke spamd with inetd and spamc 
with procmail, but the problem is in spamd itself. Probably one could 
repeat it with feeding messages manually to spamc. As far as I read 
the devel list, guys out there are aware of this problem, but they 
seem to be satisfied with the temporary (?) solution of --round-robin 
so far. But it doesn't fix the problem, it just seems to decrease 
intensivity.


Oh, I've just noticed it died again. Well, killall spamd... ;-)


When you say "hangs" what do you mean?


This is what I mean:

 5707 ?Ss 0:02 /usr/bin/perl -T -w /usr/bin/spamd 
--max-children=14 --round-robin

 5805 ?R 58:05 spamd child
 5826 ?S  3:10 spamd child
 5851 ?R 31:03 spamd child
 5862 ?R 26:19 spamd child
 5873 ?R 26:11 spamd child
 5882 ?R 26:09 spamd child
15341 ?R 18:15 spamd child
17651 ?R 16:09 spamd child
22972 ?R 16:16 spamd child
 9744 ?R 10:47 spamd child
14581 ?S  1:37 spamd child
18379 ?R 10:18 spamd child
21493 ?R  7:21 spamd child
24789 ?R  6:43 spamd child

And a nice bunch of spamc - some probably hung up waiting for output 
from spamd, and some continously trying to connect and feed incoming 
mails (and giving up after some retries, passing the message 
spam-uncredited).


A last sane response of every spamd's child is "processing message ...".

make uninstall
perl Makefile.PL etc ;-)

Sorry man, I'm stumped.  It just seems like it must be an issue with the 
upgrade.


-=Aubrey=-

Re: Logging User Name

[maillist]

YN Verma wrote:

Hi

We have configured SpamAssisn3.1.5 and integrated with Sun Jave Messaging
Server. The system seems to be working perfectly. In the Spam Log I can find
that messages are getting filtered.

But in the log I can not find the username or the sender mail address.

I would appreciate if anyone can help in this. For reference I below is the
log of one SCAN
**

spamd: connection from localhost [127.0.0.1] at port 44849
spamd[8]: spamd: checking message <[EMAIL PROTECTED]> for
(unknown):7361
  

Ins't this the UID? 7361

spamd[494]: spamd: connection from localhost [127.0.0.1] at port 44854
spamd[494]: spamd: checking message <[EMAIL PROTECTED]>
for (unknown):7361
spamd[8]: spamd: clean message (3.4/5.0) for (unknown):7361 in 0.5 seconds,
10 bytes.
spamd[8]: spamd: result: . 3 -
AWL,DEAR_SOMETHING,FROM_LOCAL_NOVOWEL,HTML_MESSAGE,UNPARSEABLE_RELAY
scantime=0.5,size=10,user=(unknown),uid=7361,required_score=5.0,rhost=lo
calhost,raddr=127.0.0.1,rport=44849,mid=<[EMAIL PROTECTED]
  

,autolearn=no



==

Here you can see that in place of username unknown is coming. I need
username to be logged.

Thanks in Advance.

regards

Yadwendra

  

Re: how to archive/save mails that are scanned by spamd ???

[maillist]

Starckjohann, Ove wrote:


Hi !

Is there a way to save/archive mails that are scanned by spamd to an 
eml-file on the spamd-server ???



Ove Starckjohann



Yes there are many ways to do that, but what is your setup?

-=Aubrey=-

Re: AW: how to archive/save mails that are scanned by spamd ???

[maillist]

Starckjohann, Ove wrote:

HI!

Mailflow is as follows:

Internet -> Mail is received by a Proxy-Server (closed source) -> mail is 
forwarded to spamd -> score is reported back to proxy

So - because i cannot pipe the mail through other servers / programs the spamd 
is my only chance to archive the mail.
What/where is "master.cf". It's not on my system...

Ove Starckjohann



  

-Ursprüngliche Nachricht-
Von: Peter Farrell [mailto:[EMAIL PROTECTED] 
Gesendet: Donnerstag, 15. März 2007 09:39

An: Starckjohann, Ove
Betreff: Re: how to archive/save mails that are scanned by spamd ???


We put an line in master.cf to always copy each email to an 
archive machine.

We set up squirrel mail with this archive account for quick and easy
searches for particular messages (which saves a lot of digging through
the imap folders...).

10025 inet n  -   n   -   -   smtpd
-o content_filter=
...
...
-o [EMAIL PROTECTED]

This isn't a solution for archiving ONLY emails w/ spam headers.
I imagine you could archive to one address then set up a proc mail
recipe for the filtering...?

-Peter


On 15/03/07, Starckjohann, Ove <[EMAIL PROTECTED]> wrote:



Hi !

Is there a way to save/archive mails that are scanned by spamd to an
eml-file on the spamd-server ???


Ove Starckjohann

  


  

It should be /etc/mail/spamassassin/local.cf

-=Aubrey=-

Re: AW: AW: how to archive/save mails that are scanned by spamd ???

[maillist]

Starckjohann, Ove wrote:

Hi!

What line may i add in 
/etc/mail/spamassassin/local.cf

to archive all mails that are checked by spamd ???

Ove


  

-Ursprüngliche Nachricht-
Von: maillist [mailto:[EMAIL PROTECTED] 
Gesendet: Donnerstag, 15. März 2007 13:25

Cc: users@spamassassin.apache.org
Betreff: Re: AW: how to archive/save mails that are scanned 
by spamd ???



Starckjohann, Ove wrote:


HI!

Mailflow is as follows:

Internet -> Mail is received by a Proxy-Server (closed 
  
source) -> mail is forwarded to spamd -> score is reported 
back to proxy

So - because i cannot pipe the mail through other servers / 
  

programs the spamd is my only chance to archive the mail.


What/where is "master.cf". It's not on my system...

Ove Starckjohann



  
  

-Ursprüngliche Nachricht-
Von: Peter Farrell [mailto:[EMAIL PROTECTED] 
Gesendet: Donnerstag, 15. März 2007 09:39

An: Starckjohann, Ove
Betreff: Re: how to archive/save mails that are scanned by 


spamd ???

We put an line in master.cf to always copy each email to an 
archive machine.
We set up squirrel mail with this archive account for 


quick and easy

searches for particular messages (which saves a lot of 


digging through


the imap folders...).

10025 inet n  -   n   -   -   smtpd
-o content_filter=
...
...
-o [EMAIL PROTECTED]

This isn't a solution for archiving ONLY emails w/ spam headers.
I imagine you could archive to one address then set up a proc mail
recipe for the filtering...?

-Peter


On 15/03/07, Starckjohann, Ove 


<[EMAIL PROTECTED]> wrote:




Hi !

Is there a way to save/archive mails that are scanned by 
  

spamd to an


eml-file on the spamd-server ???


Ove Starckjohann

  
  
  
  

It should be /etc/mail/spamassassin/local.cf

-=Aubrey=-




  
I'm not aware of any way to archive using SA.  I use mimedefang, along 
with sendmail's milter.  The best way to do this is:


   if ($Features{"SpamAssassin"}) {
   if (-s "./INPUTMSG" < 100*1024) {
   my($hits, $req, $names, $report) = spam_assassin_check();
   my($score);

   if ($hits >= $req) {

   # Remove original recipients
   # Add a header with original recipients, just for info
   action_add_header("X-Orig-Rcpts", join(", ", @Recipients));

   # Remove original recipients
   foreach $recip (@Recipients) {
   delete_recipient($recip);
   }

   # Send to archive address
   add_recipient('[EMAIL PROTECTED]');
   }

-=Aubrey=-

Re: AW: AW: AW: how to archive/save mails that are scanned by spamd ???

[maillist]

Starckjohann, Ove wrote:

It was Aubreys Mail:

-Ursprüngliche Nachricht-
Von: maillist [mailto:[EMAIL PROTECTED] 


...
It should be /etc/mail/spamassassin/local.cf

-=Aubrey=-




Ove Starckjohann



  

-Ursprüngliche Nachricht-
Von: Jim Maul [mailto:[EMAIL PROTECTED] 
Gesendet: Donnerstag, 15. März 2007 13:43

An: users@spamassassin.apache.org
Betreff: Re: AW: AW: how to archive/save mails that are 
scanned by spamd ???



Starckjohann, Ove wrote:


Hi!

What line may i add in 
/etc/mail/spamassassin/local.cf

to archive all mails that are checked by spamd ???

Ove


  
what makes you think that you could even put something in 
local.cf that 
would do that?  SA does not archive anything.


-Jim




  

I was responding to your question about where was the "master.cf" for SA.

I quote:

"So - because i cannot pipe the mail through other servers / programs 
the spamd is my only chance to archive the mail.

What/where is "master.cf". It's not on my system..."


You can't use SA for anything other than scanning email, and marking it 
in some way to say that it is spam or it is not.


Sorry for any confusion.

-=Aubrey=-

Re: Can't locate IO/Socket/INET.pm

[maillist]

Marc Perkel wrote:
What would cause then when trying to run sa-learn. Running FC6 - what 
am I missing?


Can't locate IO/Socket/INET.pm


Download IO::Socket from CPAN

http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/IO-1.2301.tar.gz

-=Aubrey=-

Re: Multiple errors in SA

[maillist]

[EMAIL PROTECTED] wrote:
Hi  


I am relativley new to SA with this my first major install hopefully of many

The current server is RHEL4 running
spamass-milter-0.3.1-3.el4.kb
spamassassin-3.1.8-2.el4
sendmail-8.13.1-3.RHEL4.5


>From the log there seems to be multiple errors and I am not sure where to 
start.
I have looked up several of the errors vai google but been unsuccessfull so far.

Here is the log. I must have done something wrong with the setup

Mar 16 13:14:03 brutus spamd[10588]: spamd: bad protocol: header error: (closed
before headers) at /usr/bin/spamd line 1671.
Mar 16 13:14:03 brutus sendmail[17499]: l2G0DX2m017499:
milter_read(spamassassin): cmd read returned 50, expecting 1397768524
Mar 16 13:14:03 brutus sendmail[17499]: l2G0DX2m017499: Milter (spamassassin):
to error state
Mar 16 13:14:03 brutus sendmail[17499]: l2G0DX2m017499: Milter (spamassassin):
init failed to open
Mar 16 13:14:03 brutus sendmail[17499]: l2G0DX2m017499: Milter (spamassassin):
to error state
Mar 16 13:14:03 brutus spamd[26672]: prefork: child states: II
Mar 16 13:14:03 brutus sendmail[17499]: l2G0DX2m017499: [EMAIL PROTECTED]
User unknown
Mar 16 13:14:03 brutus sendmail[17499]: l2G0DX2m017499:
[EMAIL PROTECTED], size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Mar 16 13:14:12 brutus spamd[10588]: spamd: got connection over
/var/run/spamass.sock
Mar 16 13:14:42 brutus spamd[10588]: tcp timeout at /usr/bin/spamd line 1042.
Mar 16 13:14:42 brutus spamd[10588]: tcp timeout at /usr/bin/spamd line 1042.
Mar 16 13:14:42 brutus spamd[10588]: spamd: bad protocol: header error: (closed
before headers) at /usr/bin/spamd line 1671.
Mar 16 13:14:42 brutus sendmail[17517]: l2G0ECNj017517:
milter_read(spamassassin): cmd read returned 50, expecting 1397768524
Mar 16 13:14:42 brutus sendmail[17517]: l2G0ECNj017517: Milter (spamassassin):
to error state
Mar 16 13:14:42 brutus sendmail[17517]: l2G0ECNj017517: Milter (spamassassin):
init failed to open
Mar 16 13:14:42 brutus sendmail[17517]: l2G0ECNj017517: Milter (spamassassin):
to error state
Mar 16 13:14:42 brutus spamd[26672]: prefork: child states: II
Mar 16 13:14:42 brutus sendmail[17517]: l2G0ECNj017517: [EMAIL PROTECTED]
User unknown
Mar 16 13:14:42 brutus sendmail[17517]: l2G0ECNj017517:
[EMAIL PROTECTED], size=0, class=0, nrcpts=0, proto=ESMTP,
daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Mar 16 13:15:09 brutus spamd[10588]: spamd: got connection over
/var/run/spamass.sock

Any help greatly appreciated.

Many thanks

Mike

  
I've not used the spamass milter, but have heard of many having 
difficulties with it.  I would suggest using mimedefang, and let it use 
spamassassin, and feed the info to sendmail.


I would tail -f path/to/maillog, and start sendmail.  That will show 
some useful info as well.  Also, make sure that you are starting spamd 
before you start sendmail.



-=Aubrey=-

Re: why I get it?

[maillist]

Rocco Scappatura wrote:

Hello,

I receiveid a spam message this morning in my mailbox. So I submit it to
spamassassin to calculate the score that spamassassin give it.

Here the result:

Content preview:  "Diable!" bird market light sort said Monte Cristo
compassionately,
   "it i Villefort pressed her plate earth hand to set long let her know
it
  was "Ah, true."theory skin "Oh, no, sir," she blade slope answered;
"but you
   know, things [...]

Content analysis details:   (6.2 points, 5.0 required)

 pts rule name  description
 --
--
 1.1 EXTRA_MPART_TYPE   Header has extraneous Content-type:...type=
entry
 0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
 0.0 HTML_MESSAGE   BODY: HTML included in message
 3.5 BAYES_99   BODY: Bayesian spam probability is 99 to
100%
[score: 0.9991]
 0.8 SARE_GIF_ATTACHFULL: Email has a inline gif
 0.7 MY_CID_AND_STYLE   SARE cid and style

So it is clear at all why i have retreived the message in my mailbox..

If someone could give an explanation of this phaenomenon, I will
apreciate it,

BR,

rocsca

  


What version of SA are you running?  If not 3.1.8 then upgrade.

-=Aubrey=-

Re: spamassassin not working - spamass.sock unsafe

[maillist]

Joey Davis wrote:

Greetings ...
 
I can not get spamassassin to work.  I have seen this problem in some 
newgroups but no definitive solution.  Here is the information
 
OS Version: FC5

Sendmail: 8.13.7
Spamassassin: 3.1.3
 
Log entries:
Mar 19 17:28:32 obwat sendmail[29903]: l2JMSW21029903: Milter 
(spamassassin): local socket name /var/run/spamass-milter/spamass.sock 
unsafe
Mar 19 17:28:32 obwat sendmail[29903]: l2JMSW21029903: Milter 
(spamassassin): to error state
Mar 19 17:28:32 obwat sendmail[29903]: l2JMSW21029903: Milter: 
initialization failed, temp failing commands

Thanks for any help,
 
Joey


I'm not sure, and please someone correct me if I'm wrong, but I don't 
think that the spamass milter works.  I've never seen/heard about it 
working, but have heard many people expressing difficulties with it.  
Luckily a friend of mine suggested to me to use mimedefang 
(http://www.mimedefang.org/).  It works wonderfully with sendmail, and 
acts as a medium for spamassassin, a few antivirus scanners, and other 
things that you may wish.  You need only tell sendmail where the .sock 
is for mimedefang, and mimedefang handles the rest.


Good luck
-=Aubrey=-

Re: why I get it?

[maillist]

Rocco Scappatura wrote:

What version of SA are you running?  If not 3.1.8 then upgrade.



# spamassassin -V
SpamAssassin version 3.1.8
  running on Perl version 5.8.8

rocsca

  


I was having the same problem with v 3.1.7, and when I upgraded to 
3.1.8, they stopped.


Do you get the same score if you run: "spamc -c < message"

Post the entire message, with headers and all.


-=Aubrey=-

Re: Whitelist scoring question

[maillist]

Mark Adams wrote:

Hi All,

I have not got to the bottom of this. Does anyone know how to report on
whether a mail is having points deducted because it is whitelisted?

Regards,
Mark

On Wed, Mar 07, 2007 at 03:34:58PM +, Mark Adams wrote:
  

Thanks for that,

The lint has not complained about any config problems with the line you
have suggested. Do you know a quick and easy way of testing whether the
whitelisting is working correctly? I have a reporting template setup as
below, but this never shows any whitelist hits. (I'm probably just
missing something!).

report "hits=_HITS_ required=_REQD_ test=_TESTS_"

Help appreciated.

Regards,
Mark



Yes edit your /etc/mail/spamassassin/local.cf file.  Add the following...

score USER_IN_WHITELIST -XXX  (Where -XXX is the score that you wish)

Remember to always run spamassassin --lint

restart spamassassin.

-=Aubrey=-
  


  


You could run: "spamassassin --test-mode < message", and see what it is 
scoring.


-=Aubrey=-

Re: Query Reg spam originate to Unknown user

[maillist]

sushma wrote:


hi,
Iam running spamassassin in another machine and relaying mails to 
local machine(i.e i am not running spamassassin in local machine). In 
this case how to reject mails destined to unknow user.







Mail that comes to your server that is destined for a user that you 
don't have an in-box for, should be rejected at the MTA level.  If not, 
there is something terribly wrong.  What MTA are you using?


-=Aubrey=-

Re: Is Bayes Dead? Have the spammers won?

[maillist]

Theo Van Dinter wrote:

On Thu, Mar 22, 2007 at 09:55:07AM -0700, Marc Perkel wrote:
  

Where bayes used to be the centerpiece of spam filtering ...



FWIW, I don't think Bayes has really ever been the "centerpiece" of
spam filtering.  Definitely not within SA anyway.  It's a good tool,
but it's just another tool in the belt.
  
I don't know about that.  I'd say that 95% of all spam filtered in my 
system has BAYES_99 as a trigger, and of that, probably 75% - 85% would 
not have been caught if not for that trigger.  But I don't autolearn, or 
autowhitelist.  I just don't have enough faith in my own setup to allow 
it to make it's own decisions.


-=Aubrey=-

/me continues to wait for the spammers to tire of greylisting

  

Re: Socket.pm errors

[maillist]

Lance Albertson wrote:

I recently updated SA on our machines from 3.1.1 to 3.1.8 and I started
noticing a new issue crop up. I also noticed that someone else had a
similar problem and reported it on this last back in January [1], but it
never got an answer back about it. I've looked elsewhere online and have
yet to find a solution yet.

Here is a log excerpt of what I see:

Mar 23 11:50:48 spamfilter5 spamd[28398]: Use of uninitialized value in
subroutine entry at
/usr/lib/perl5/5.8.5/i386-linux-thread-multi/Socket.pm line 370.
Mar 23 11:50:48 spamfilter5 spamd[28398]: Bad arg length for
Socket::unpack_sockaddr_in, length is 0, should be 16 at
/usr/lib/perl5/5.8.5/i386-linux-thread-multi/Socket.pm line 370.
Mar 23 11:50:48 spamfilter5 spamd[28398]: spamd: error: Bad arg length
for Socket::unpack_sockaddr_in, length is 0, should be 16 at
/usr/lib/perl5/5.8.5/i386-linux-thread-multi/Socket.pm
line 370.
Mar 23 11:50:48 spamfilter5 spamd[28398]:  , continuing at
/usr/bin/spamd line 924.
Mar 23 11:50:48 spamfilter5 spamd[25791]: prefork: child states:
BBBB
Mar 23 11:50:48 spamfilter5 spamd[25791]: prefork: server reached
--max-children setting, consider raising it

During the time I get these errors, I seem to have emails go through the
system without getting tagged with any X-Spam* tags. Yet, I can find in
the log that the email was tagged and was done under the timeout setting
we have for spamc. These errors seem to be related to the amount of load
the machine is having at the time (i.e. higher loads tends to bring
these errors out more). They also seem to be transient in that after a
few minutes they seem to go away and things are back to normal (probably
when the load goes down).

I'm no programmer, but from my point of view it seems as though the
child algorithms used to clean up connections is getting confused when
they're close to their max setting.

Now, some background on our setup. We have a pool of seven servers that
are behind a BigIP running spamassassin (running mostly RHAS4, but we
also have two Solaris 10 amd64 machines). We have a pool of mail
delivery servers running sendmail and invoking procmail which then
invokes spamc to connect to the virtual IP. I do not see any timeout
errors in the logs from spamc during these periods of errors.

About a month ago, we were running into a resource limit on our oracle
database server (where all the user prefs are stored). I found the
persistent DB plugin on the wiki site [2] and added it to all our
servers. It fixed the resource issue and no other issue came up at that
time. However, I did notice after adding the plug-in that a lot of spamd
children weren't dying and were staying active. So I suspect this
plug-in might be a source of the problem.

Now since I've upgraded to the latest version, I'm seeing these problem
of non-tagged email. Now, my actual questions:

 * Does anyone have any idea what might be causing this problem?
 * Do I need to upgrade perl (currently running 5.8.5 on RHAS4)?
 * Is the persistent DB plug-in causing the issue?

I just updated one of the Solaris 10 machines and haven't noticed the
error yet. It does have a newer version of perl on it (5.8.8).

Anyways, any help would be appreciated! Thanks!

[1] http://article.gmane.org/gmane.mail.spam.spamassassin.general/94500
[2] http://wiki.apache.org/spamassassin/DBIPlugin

  


I would see if you could maybe get a fresher version of  IO::Socket The 
latest on CPAN is 1.2301


(http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/IO-1.2301.tar.gz)

I would *not* try to upgrade Perl.  In doing so, you could cause you 
machine to laps in an error-log extravaganza.


-=Aubrey=-

Just a general question

[maillist]

I've been on this mail list only for a few months now, and am wondering 
if I am the smallest guy here.  I often have questions, and usually find 
the answer just by browsing in past mails, which is really cool.  I see 
most of the folks that are questioning/replying are admins of rather 
large systems, many ISPs. 

I only run a little bitty server with under 100 users.  Are there any 
others like that here?  The reason I ask is, I think that running a 
single-domain server, with under 100 users gives a little more room for 
testing, and general mis configuring errors, and would like to know of 
some methods that maybe other small guys like myself have come up with 
to trouble-shoot.


-=Aubrey=-

Re: Who is apews.org ?

[maillist]

Marc Perkel wrote:



Marc Perkel wrote:
The don't seem to have any contact info. Anyone know anything about 
them?




Whoops - typo. - I mean apews.org



Dunno.  Tar-pit?

Re: Anyone else seeing a large rise in spam?

[maillist]

Nigel Frankcom wrote:

Hi All,

As per the title, I'm seeing a pretty big rise this last week. So far
this week has seen the most spam I've ever had to deal with in over 10
years.

RBLs and SA are catching more, as is greylisting. That said, yesterday
saw double my 'usual' amount of spam. Though it's been creeping up all
week.

Is it just me or is this trend being reflected elsewhere?

Kind regards

Nigel

  

These are my spamdrop folders for last week, and this past week


Last week:

21M 2007-03-19 23:59 Mon
18M 2007-03-20 23:59 Tue
19M 2007-03-21 23:59 Wed
20M 2007-03-22 23:59 Thu
17M 2007-03-23 23:59 Fri
9M 2007-03-17 23:59 Sat
18M 2007-03-18 23:59 Sun

-

This week:


22M 2007-03-19 23:59 Mon
25M 2007-03-20 23:59 Tue
24M 2007-03-21 23:59 Wed
14M 2007-03-22 23:59 Thu
14M 2007-03-23 23:59 Fri
18M 2007-03-17 23:59 Sat
23M 2007-03-18 23:59 Sun

I guess it's been up a little.  I've got under around 70 users

-=Aubrey=-

could someone run these messages....

[maillist]

The only tests that they score for me are BAYES_99, which should be 
enough to get them sent to my spam-drop, but they get to the users 
instead.  When I --lint -D I don't see anything that tells me that I 
have a config problem.


I start spamd this way, as root...

/usr/bin/spamd -r /var/run/spamd.pid \
-d --username=defang --max-spare=5 --min-children=5 --max-children=35

slackware
sendmail 8.14.0
mimedefang 2.61
SpamAssassin version 3.1.8
 running on Perl version 5.8.8

What do you score for these emails?
http://securebackend.net/mail_temp/aubrey.txt (I put 2 messages there)

-=Aubrey=-

Re: spass-milter core dump

[maillist]

Theo Van Dinter wrote:

On Tue, Mar 27, 2007 at 03:48:33PM +1000, James Lees Vodanovich wrote:
  

Spamass-milter crashes about once a week.

Here is the backtrace from spamass-milter.core (72MB)
Any idea's



Talk to the spamass-milter people.

  


...or use mimedefang.  I've heard a lot of fuss about spamass-milter not 
being so stable.  Mimedefang is powerful, and has functionality that I 
adore.  If you need help, I would help you with that.  I cannot help 
with spamass-milter, because I never used it.


-=Aubrey=-

Re: spamhaus / whitelist

[maillist]

Jean-Paul Natola wrote:

Hi everyone,

I have a contact from Africa whom I put on the whitelist because everytime he
would send mail the scores went through the roof-

Recently he started getting this:

554 5.7.1 Service unavailable; Client host [41.204.40.26] blocked using
sbl-xbl.spamhaus.org; http://www.spamhaus.org/SBL/sbl.lasso?query=SBL52368

What "fix" can I do to enable him to send to us again 










Jean-Paul Natola
Network Administrator
Information Technology
Family Care International
588 Broadway Suite 503
New York, NY 10012
Phone:212-941-5300 xt 36
Fax:  212-941-5563
Mailto: [EMAIL PROTECTED]

  


An easy way would be to:

whitelist_from  [EMAIL PROTECTED]


Others here will say that is not a good idea, because of how easy it is 
to spoof.  But to me, saying anything about spoofs when referring to 
Africans, can be harmful to your health.


-=Aubrey=-

Re: spamhaus / whitelist

[maillist]

maillist wrote:

Jean-Paul Natola wrote:

Hi everyone,

I have a contact from Africa whom I put on the whitelist because 
everytime he

would send mail the scores went through the roof-

Recently he started getting this:

554 5.7.1 Service unavailable; Client host [41.204.40.26] blocked 
using
sbl-xbl.spamhaus.org; 
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL52368


What "fix" can I do to enable him to send to us again








Jean-Paul Natola
Network Administrator
Information Technology
Family Care International
588 Broadway Suite 503
New York, NY 10012
Phone:212-941-5300 xt 36
Fax:  212-941-5563
Mailto: [EMAIL PROTECTED]

  


An easy way would be to:

whitelist_from  [EMAIL PROTECTED]


Others here will say that is not a good idea, because of how easy it 
is to spoof.  But to me, saying anything about spoofs when referring 
to Africans, can be harmful to your health.


-=Aubrey=-



Sorry for the bad joke

It really depends on what MTA you are using, because the best way to get 
mail from this man, would be to have him authenticate directly to your 
SMTP server.


Or you could also set him up with a local account on your server, and 
have him send the mail locally via ssh access.


-=Aubrey=-


-=Aubrey=-

Re: Image spam

[maillist]

David Gibbs wrote:

--[ UxBoD ]-- wrote:
  
Yes image spam can be a real pain. 



While I agree that image spam is a PITA ... I have to wonder how ANYONE
in the right mind could fall for that garbage.

I mean, be real ... if the message you get contains an image, surrounded
by garbage text, and the image quality is worse than a 60's era
television picture, how hard is to figure out that the message is
questionable?

Half the image spam's I've read are so garbled, to avoid the ocr tests,
it's impossible to decipher what they are trying to pump & dump anyways.

david

  


Maybe there's real genus involved in this image spam.  I have only 
received a few of them because luckily BAYES_99 catches them all (maybe 
I get on in 2 months).  We use to try to decipher what the messages 
were, just to see who could get it first.  Plus, it reminded us of Atari.


sa-learn them, and they should go away

-=Aubrey=-

Re: whitelisting yahoogroups.com

[maillist]

Ilya Vishnyakov wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Hmm. Hello Spamassassin Gurus!

I'm having difficulties with yahoogroups.com emails. I whitelisted
them as [EMAIL PROTECTED] , but emails still get into the
spam. Is there any other way that I can whitelist it?
I attach 2 screenshots with the headers for your convenience.
Thank you in advance!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFGCrPLUZGmaUWxLn8RAq7LAJsFKpJDrk3qQ/JeuyxjZL6mTvrO3QCfbjT/

ecQNvPrGApYTdSmAzdVYLsI=
=xoye
-END PGP SIGNATURE-
  


Just whitelist like this:

whitelist_from  @yahoogroups.com


-=Aubrey=-

Re: Who is APEWS.ORG

[maillist]

John D. Hardin wrote:

On Thu, 29 Mar 2007, Jonas Eckerman wrote:

  

Are you using (SMTP) Sender Address Verifications?

You might see that as filtering, but to the systems (including
both spam traps and SMTP servers) you connect to in order to
verify falsified senders your system looks and acts like a spammer
or dictionary attacker.



Can anyone recommend a non-abusive way to validate email addresses?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You are in a maze of twisty little protocols,
  all written by Microsoft.
--
 15 days until Thomas Jefferson's 264th Birthday

  


Send an email to [EMAIL PROTECTED], and ask them?

Re: Check to see if my server is on Blacklists?

[maillist]

Don Ireland wrote:

Is there some place I can go and see if my email sever is on a blacklist?

I just received a msg that it's on at least one--psbl.

Thanks.

Don Ireland

  


dnsstuff.com

Re: SA rules subscription service

[maillist]

Walter Keen wrote:

I've been told there is some sort of a subscription service for SA rules
to check messages against


Does such a thing exist, I havent had any luck on google...

  


Yes, I have a service.  It is $5000.00 per year, payable up front.  I 
will run sa-update for you, from anywhere but your office.  ;)


-=Aubrey=-

spam graphs

[maillist]

I have seen a few people present, on this mail list, nicely detailed 
graphs, that obviously were the result of some server output, but they 
focused on email, mainly spam.  I am interested in having the same.  
Does anyone have any recommendations for a good package that can do this?


All I currently use is logwatch.  It's nice for my needs to administer, 
but the boss would like to see something that he can understand without 
having to do so much thinking.  Maybe he wants to replace me with a 
bar-graph.


As always, any help is appreciated.

-=Aubrey=-

Re: spam graphs

[maillist]

Jim Knuth wrote:

Heute (05.04.2007/02:34 Uhr) schrieb Luis Hernán Otegui,

  

Well, if you have Postfix and Amavis, I've tried amavis-stats (a little bit
old now, and frankly, never worked correctly on my Debian-based servers).
I'm currently using Mailgraph, from the Debian package. Works like a charm
almost out-of-the-box. Though it should be available as a package for
another distros...




  

Luix



  

2007/4/4, maillist <[EMAIL PROTECTED]>:


I have seen a few people present, on this mail list, nicely detailed
graphs, that obviously were the result of some server output, but they
focused on email, mainly spam.  I am interested in having the same.
Does anyone have any recommendations for a good package that can do this?

All I currently use is logwatch.  It's nice for my needs to administer,
but the boss would like to see something that he can understand without
having to do so much thinking.  Maybe he wants to replace me with a
bar-graph.

As always, any help is appreciated.

-=Aubrey=-

  



I use MRTG for all systemreports. Ram, Swap, httpd, load average,
CPU usage, CPU temperature and so on.
http://oss.oetiker.ch/mrtg/
And I use mailgraph too.


  



That looks exactly like what I hoped to find.  Many thanks, sir.

-=Aubrey=-

Re: Spamassassin and memory utilization

[maillist]

Joey Davis wrote:

Sorry, I intended to included this entry from the messages log:

Apr 10 00:00:02 msop sendmail[1622]: unable to dlopen
/usr/lib/sasl2/libcrammd5.so.2: /usr/lib/sasl2/libcrammd5.so.2: failed to
map segment from shared object: Cannot allocate memory


Thanks,

Joey 


-Original Message-
From: Richard Frovarp [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, April 11, 2007 9:51 AM

To: Joey Davis
Cc: users@spamassassin.apache.org
Subject: Re: Spamassassin and memory utilization

Joey Davis wrote:
  
I am running into memory allocation problems and am not sure how to 
resolve it.  My question: Is it advisable to limit the number of child 
processes started by spamassassin in my situation.  I'm green and not 
sure how to handle this.
 
I am on a VPS with thirty email users.
 
 
Tasks:  21 total,   2 running,  19 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.0% us,  0.0% sy,  0.0% ni, 100.0% id,  0.0% wa,  0.0% hi, 
0.0% si,  0.0% st

Mem:   4139312k total,  3961724k used,   177588k free,53200k buffers
Swap:  8388576k total,  592k used,  8387984k free,  3245160k cached
 
  PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND

1 root  16   0  1916  668  576 S0  0.0   0:00.07 init
 4002 root  16   0  1580  564  472 S0  0.0   0:01.15 syslogd
 4010 root  16   0  4900 1108  792 S0  0.0   0:00.00 sshd
 4019 root  15   0  2144  828  700 S0  0.0   0:00.61 xinetd
 5166 sa-milt   19   0  2240  524  404 S0  0.0   0:00.00 
spamass-milter-
 5167 sa-milt   16   0 44804 1512 1108 S0  0.0   0:05.74 
spamass-milter

 5187 root  16   0 27484 9420 5852 S0  0.2   0:00.10 httpd
 5196 root  16   0  3128 1116  576 S0  0.0   0:00.02 crond
 5204 root  16   0  5148 1280  984 S0  0.0   0:00.02 saslauthd
 5210 apache16   0 27640 5096 1432 S0  0.1   0:00.32 httpd
 5324 apache15   0 27640 5104 1432 S0  0.1   0:00.35 httpd
 5346 apache15   0 27640 5080 1400 S0  0.1   0:00.35 httpd
20384 root  16   0 46880  43m 2220 S0  1.1   0:03.25 spamd
15603 apache16   0 27620 5096 1400 S0  0.1   0:00.23 httpd
15694 apache15   0 27756 5116 1400 S0  0.1   0:00.26 httpd
15582 root  15   0 54044  50m 2272 S0  1.2   1:45.61 spamd
21824 root  16   0 48016  44m 2204 S0  1.1   0:02.25 spamd
10082 jdavis16   0  7212 2692 2188 S0  0.1   0:00.07 imapd
11463 root  16   0  7896 2384 1936 R0  0.1   0:00.11 sshd
11481 root  15   0  2432 1372 1104 S0  0.0   0:00.04 bash
15631 root  16   0  2056  988  796 R0  0.0   0:00.01 top
 


Yes, it probably would be advisable to limit the number of child processes.
However, I don't see any indication there that you are running into memory
problems.


  



It appears that is not a SA issue.  That is referring to SASL2 which 
has, in this case, to do with sendmail.  Make sure that SASL is was 
installed properly.  It looks like some libraries are not there.  Or do 
not worry about it, unless you're authenticating users from outside to 
use your SMTP server as a relay.  But if you're authenticating users, 
then you would have noticed already that this was not working.


But to answer your question about child processes, that depends on how 
you are starting spamd.  I start it like this...


/usr/bin/spamd -r /var/run/spamd.pid \
-d --username=defang --max-spare=8 --min-children=10 --max-children=45

-=Aubrey=-

Re: mkdir /root/.spamassasin: permission denied error.

[maillist]

porterj wrote:

I just set-up spamassassin on a Red Hat Enterprise Linux 4 mail server and it
appears that spamassassin is working as I am seeing messages that are now
tagged as spam.

However, in my /var/log/maillog I keep seeing a message similar to the
following and am unsure how to fix it.  Any help would be appreciated.

Begin message in /var/log/maillog

Apr 12 10:27:44 servername spamd[18456]: spamd: setuid to root succeeded
Apr 12 10:27:44 servername spamd[18456]: spamd: still running as root: user
not specified with -u, not found, or set to root, falling back to nobody at
/usr/bin/spamd line 1147,  line 4.
Apr 12 10:27:44 servername spamd[18456]: spamd: processing message
<[EMAIL PROTECTED]> for root:99
Apr 12 10:27:45 servername spamd[18456]: mkdir /root/.spamassassin:
Permission denied at /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin.pm
line
1536
Apr 12 10:27:45 servername spamd[18456]: locker: safe_lock: cannot create
tmp lockfile /root/.spamassassin/auto-whitelist.lock.servername.domain.com
.18456 for /root/.spamassassin/auto-whitelist.lock: Permission denied
Apr 12 10:27:45 servername spamd[18456]: auto-whitelist: open of
auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile
/root/.spamassassin/auto-whitelist.lock.servername.domain.com.18456 for
/root/.spamassassin/auto-whitelist.lock: Permission denied
Apr 12 10:27:45 servername spamd[18456]: bayes: locker: safe_lock: cannot
create tmp lockfile
/root/.spamassassin/bayes.lock.servername.domain.com.18456 for
/root/.spamassassin/bayes.lock: Permission denied
Apr 12 10:27:45 servername spamd[18456]: spamd: clean message (0.0/3.5) for
root:99 in 0.6 seconds, 8188 bytes.
Apr 12 10:27:45 servername spamd[18456]: spamd: result: . 0 -
scantime=0.6,size=8188,user=root,uid=99,required_score=3.5,rhost=servername,raddr=127.0.0.
1,rport=55310,mid=<[EMAIL PROTECTED]>,autolearn=failed

End message in /var/log/maillog

Thanks,
JP
  



First of all, you need to start spamd with the -u option as whatever 
user you've designated to run spamd, but not as root.  Example:


/usr/bin/spamd -r /var/run/spamd.pid -d --username=defang

Also, you may want to specify a directory to use for bayes.  In my 
local.cf, I use:


bayes_path /etc/mail/spamassassin/bayes/bayes

I do not use autowhitelist, or autolearn.  If you want to use them, then 
I hope someone else here can help you.


-=Aubrey=-

Re: mkdir /root/.spamassasin: permission denied error.

[maillist]

porterj wrote:

Thanks for your replies.  I did not realize this message was being spawned by
'spamc'.  I had established a -u username but had it kicking off with the
'spamd' process.  I corrected this and the errors went away.  


Speaking of auto whitelist.  Is this not a good feature to use?  I have it
turned on, I believe, but could turn it off it is not recommended.

Thanks again,
JP



  



It really depends on your needs.  I have a single domain, with under 100 
users.  I have a few user accounts that I know receive nothing but 
spam.  I use those users to catch the latest spam, and do all of my 
learning manually.  Other folks on this list have a *very* different set 
of needs.  If you can afford the time, I would recommend turning off 
AWL, and just run sa-learn manually on messages that get through, as 
they come in.


-=Aubrey=-

Re: Spamassassin really buggered

[maillist]

jpff wrote:

Since I upgraded to SpamAssassin version 3.1.8 running on Perl version
5.8.4  I have had problems.  The mailer get swamped and I get lots of
odd mesages; simple example.

Apr 13 21:07:26 snout spamd[17853]: Attempt to free non-existent shared string 'test_names_hit' at /usr/local/share/perl/5.8.4/Mail/SpamAssassin/PerMsgStatus.pm line 1298. 
Apr 13 21:07:27 snout spamd[17853]: Attempt to free non-existent shared string 'body_only_points' at /usr/local/share/perl/5.8.4/Mail/SpamAssassin/PerMsgStatus.pm line 1298. 
Apr 13 21:09:44 snout spamd[17853]: Attempt to free non-existent shared string '[EMAIL PROTECTED]' at /usr/local/share/perl/5.8.4/Mail/SpamAssassin/Conf.pm line 3195. 
Apr 13 21:09:45 snout spamd[17853]: Attempt to free non-existent shared string '[EMAIL PROTECTED]' at /usr/local/share/perl/5.8.4/Mail/SpamAssassin/Conf.pm line 3195. 
Apr 13 21:09:45 snout spamd[17853]: Attempt to free non-existent shared string '[EMAIL PROTECTED]' at /usr/local/share/perl/5.8.4/Mail/SpamAssassin/Conf.pm line 3195. 
Apr 13 21:09:45 snout spamd[17853]: Attempt to free non-existent shared string '[EMAIL PROTECTED]' at /usr/local/share/perl/5.8.4/Mail/SpamAssassin/Conf.pm line 3195. 
Apr 13 21:09:45 snout spamd[17853]: Attempt to free non-existent shared string '[EMAIL PROTECTED]' at /usr/local/share/perl/5.8.4/Mail/SpamAssassin/Conf.pm line 3195. 
Apr 13 21:09:45 snout spamd[17853]: Attempt to free non-existent shared string '[EMAIL PROTECTED]' at /usr/local/share/perl/5.8.4/Mail/SpamAssassin/Conf.pm line 3195. 
Apr 13 21:09:45 snout spamd[17853]: Attempt to free non-existent shared string '[EMAIL PROTECTED]' at /usr/local/share/perl/5.8.4/Mail/SpamAssassin/Conf.pm line 3195. 
Apr 13 21:09:45 snout spamd[17853]: Attempt to free non-existent shared string '[EMAIL PROTECTED]' at /usr/local/share/perl/5.8.4/Mail/SpamAssassin/Conf.pm line 3195. 
Apr 13 21:09:45 snout spamd[17853]: Attempt to free non-existent shared string '[EMAIL PROTECTED]' at /usr/local/share/perl/5.8.4/Mail/SpamAssassin/Conf.pm line 3195. 



and many similar messages with different "non-existent" strings.

Basically the mailer stoped delivering and I am stuck

What is happening?

==John ffitch

  


I'm no perl expert, but it looks like line #3195 is looking for 
something that's not there.  That version of SA that you've upgraded to 
will require the following perl modules.  ( I run slackware, so there 
could very well be modules installed on my system by default, that may 
not be defaulted to yours.  AKA, you may need more or less)


Digest::SHA1
HTML::Parser
   HTML::Tagset
libwww-perl-5.805
   URI
   Compress::Zlib
   Compress::Raw::Zlib
   IO::Compress::Base
Net::DNS
   Digest::HMAC_MD5
   Net::IP
   IO::Socket::INET6
   Socket6-0.19
Mail::SPF::Query
   Net::CIDR::Lite
   Sys::Hostname::Long
IP::Country
Razor2
razor-agents-sdk-2.07
Archive::Tar
   IO::Zlib


Net::Ident
IO::Socket::SSL
Net::SSLeay
LWP::UserAgent
HTTP::Date

The indentation signifies the requirements.

-=Aubrey=-

Re: How to use SpamAssassin from PHP?

[maillist]

BG Mahesh wrote:


hi

I want to pass the comments/text entered by users on a form to 
SpamAssassin for approval. If it approves it only then I want to 
accept the text, else I want to inform the user that the text is Spam 
and reject the user's comments.


We use PHP and want to know how to implement this.

regards,

--
--
B.G. Mahesh
http://www.greynium.com/
http://www.oneindia.in/
http://www.click.in/ - Free Indian Classifieds 


If you're going to do this, and you will be learning messages from that 
format, then I would recommend using that SA install only for that 
purpose, and do not try to use it for scanning mail as well.


-=Aubrey=-

Re: Reverse DNS question

[maillist]

Robert Fitzpatrick wrote:

I have a customer that needs to setup their reverse DNS. The mail server
identifies itself as, for example, abc.com. The Address record for
abc.com points to our web hosting server here naturally since we host
the web site. They have an Address record of mail.abc.com pointing to
their mail server. When BOTNET or other similar rules perform the lookup
for reverse DNS, do they consider the Address record at all or is it
just important that the mail server IP address resolves to the mail
server hostname it identifies itself as?

They are hoping that a PTR record for the IP pointing to abc.com will
work. If the Address record is evaluated by taking the hostname of the
mail server, then my customer will have to change the hostname to match
'mail.abc.com' I'm afraid :(

  


Sounds like they need to adjust their MTA to announce mail.abc.com 
rather than abc.com in it's HELO argument.


-=Aubrey=-

Re: Spamassassin: Best Practices

[maillist]

Pradeep Mishra wrote:

Hello Friends

I am a newbie on spamassassin and would like to know..

1) How can we train the spamassassin using bayesian to FILTER ALL
OUTGOING AS WELL AS INCOMING messages from my server.

2) Some really Best Practices for implementing and running Spamassassin.

Thanks for all your efforts.




These questions depend on what all you are running.  You will need to be 
a bit more specific.


-=Aubrey=-

Re: Spamassassin 3.2.0

[maillist]

Ming Hou wrote:


Thank all of your replies.

I did try the following option:
perl Makefile.PL INC='-I/usr/local/ssl/include' 
  LIBS='-L/usr/local/ssl/lib -lssl -lcrypto'


The "make test" still failed for the SSL portion. Any ideal?

Thanks.
ming
  


After fighting with many problems with this install, I finally gave up.  
But I did get all of the perl modules in line.  Since I kept track of 
these from version 3.1.7.


These are the modules I had to install starting with 3.1.7

Digest::SHA1
HTML::Parser
   HTML::Tagset
libwww-perl-5.805
   URI
   Compress::Zlib
   Compress::Raw::Zlib
   IO::Compress::Base
Net::DNS
   Digest::HMAC_MD5
   Net::IP
   IO::Socket::INET6
   Socket6-0.19
Mail::SPF::Query
   Net::CIDR::Lite
   Sys::Hostname::Long
IP::Country
Razor2
razor-agents-sdk-2.07
Archive::Tar
   IO::Zlib


Net::Ident
IO::Socket::SSL
Net::SSLeay
LWP::UserAgent
HTTP::Date


These are the ones I had to install to get 3.2.0-pre to install (sorry I 
didn't list the actual module::name


Mail-SPF-2.004.tar.gz
   Net-DNS-Resolver-Programmable-0.002.2.tar.gz
   Error-0.17008.tar.gz
   NetAddr-IP-4.004.tar.gz
   Module-Build-0.2806.tar.gz
   Module-Signature-0.55.tar.gz
   ExtUtils-ParseXS-2.18.tar.gz
   ExtUtils-CBuilder-0.18.tar.gz
   version-0.71.tar.gz
   Pod-Readme-0.09.tar.gz
   Regexp-Common-2.120.tar.gz
   podlators-2.0.5.tar.gz
   Pod-Simple-3.05.tar.gz
   ExtUtils-CBuilder-0.18.tar.gz

Mail-DomainKeys-1.0.tar.gz
   Crypt-OpenSSL-RSA-0.24.tar.gz
   Crypt-OpenSSL-Random-0.03.tar.gz
Mail-DKIM-0.24.tar.gz
Encode-Detect-1.00.tar.gz


Maybe this will help you.  It seems like I had the same problems, and 
this corrected it.


-=Aubrey=-

Re: what scores do you get on this

[maillist]

Chris wrote:

On Tuesday 29 May 2007 9:52 am, ram wrote:
  

This is a very intelligently written scam mail

http://ecm.netcore.co.in/tmp/missed.txt

I set my servers to pretty aggressive custom rules , but I am not able
to catch this spam

Bayes has messed up agreed but even not counting bayes almost no other
rules hit. Notwithstanding using custom spamscanner from commtouch to
complement spamassassin


I get

Content analysis details:   (19.0 points, 7.0 required)

pts rule name  description
 -- 
--

0.8 UNDISC_RECIPS  Valid-looking To "undisclosed-recipients"
1.2 TVD_RCVD_SPACE_BRACKET Received header has a spammy looking section
1.5 ROUND_THE_WORLDReceived: says mail sent around the world (DNS)
3.0 FORGED_RCVD_HELO   Received: contains a forged HELO
0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay 
lines

8.0 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 1.]
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
   above 50%
   [cf:  73]
1.0 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
   [cf:  73]
1.5 RCVD_IN_SORBS_WEB  RBL: SORBS: sender is a abuseable web server
   [206.51.237.119 listed in dnsbl.sorbs.net]

Re: Unable to upgrade to spamassassin v 3.2.0 on a Mac PowerBook G4

[maillist]

Matthew Hardy wrote:
I am trying to upgrade to spamassassin 3.2.0 from 3.1.8, with my 
operating

system being Mac OS X, v 10.4.9.  The install failed when running cpan,
despite an earlier successful installation.  The following is a part of
the script file of the terminal output during the cpan session.  It 
indicates a problem with Net::DNS.
At the end of this message, I am attaching cpan session record of my 
attempt to install Net::DNS.
There seemed to be multiple problems.  In particular, the MIME::Base64 
is 3.05, whereas it
should be 3.07.  I would be grateful for advice on how to rectify.  
When I looked at MIME::Base64,

here is what I found --

cpan> install MIME::Base64
CPAN: Storable loaded ok
Going to read /Users/hardy/.cpan/Metadata
  Database was generated on Mon, 04 Jun 2007 19:10:03 GMT
MIME::Base64 is up to date (3.07).


hardy> spamassassin -V
SpamAssassin version 3.1.8
  running on Perl version 5.8.6

checking module dependencies and their versions...

*** 

ERROR: the required Net::DNS (version 0.34) module is not installed. 
at lib/Mail/SpamAssassin/Util/DependencyInfo.pm line 293,  line 1.


  Used for all DNS-based tests (SBL, XBL, SpamCop, DSBL, etc.),
  perform MX checks, and is also used when manually reporting spam to
  SpamCop.

  You need to make sure the Net::DNS version is sufficiently up-to-date:

  - version 0.34 or higher on Unix systems
  - version 0.46 or higher on Windows systems


*** 


NOTE: the optional MIME::Base64 module is installed,
but is not an up-to-date version.

  This module is highly recommended to increase the speed with which
  Base64 encoded messages/mail parts are decoded.


*** 


Text deleted.
*** 



REQUIRED module missing: Net::DNS
optional module out of date: MIME::Base64
optional module missing: Mail::SPF
optional module missing: Mail::SPF::Query
optional module missing: Net::Ident
optional module missing: Mail::DomainKeys
optional module missing: Mail::DKIM
optional module missing: LWP::UserAgent
optional module missing: HTTP::Date
optional module missing: Encode::Detect



Can you not just go to CPAN and install these modules?

Re: Consultant

[maillist]

Henry Weber wrote:


Hello,

 

We are an email hosting provider and are interested in finding 
sometime who could help tighten the spamassassin setup on our servers. 
We are willing to pay for services as long as there is a good result.


 

If you are interested, please email [EMAIL PROTECTED] 
.


 


Thanks.

 


Henry Weber

 


I'LL DO IT!

$75.00 US per email, starting with this one.

-=Aubrey=-

Logging IP adresses of spammer's SMTP

[Thinline Maillist]

Hi,

I'd like to log IPs from "Received" headers to spamd's log file for 
statistics  and further analysis (but only from messages marked as spam).
I tried to modify the code of spamd program, but unsuccessfully, since I 
chose to add it to parse_headers() subroutine, where only protocol 
specific headers are parsed (as it seems to me). This is probably not a 
right piece of source where to place this feature.
I'm not a Perl programmer nor SA expert, so has anyone with more 
experience some idea, how to log spammers remote IPs? Thanks.


Pavel

Re: Logging IP adresses of spammer's SMTP

[Thinline Maillist]

Thanks. I did a slight change in Received.pm to log only untrusted 
relays, all on one line for each mail (through enabling own debug channel).
Now I'm gonna to write an analyzer, which will walk through spamd log 
daily and collect these records (only for spam with defined overscore) 
and add some host information (whois).


I know it's a bad idea to feed my blacklist directly, so I will check 
and edit the output by hand and after that add it to rbl. This won't be 
too much work as most spam is coming to me from only few ips (or ip 
ranges) at this time.

Thinline Maillist wrote:

Hi,

I'd like to log IPs from "Received" headers to spamd's log file for 
statistics  and further analysis (but only from messages marked as 
spam).
I tried to modify the code of spamd program, but unsuccessfully, 
since I chose to add it to parse_headers() subroutine, where only 
protocol specific headers are parsed (as it seems to me). 


parse_received_headers() (in Received.pm) is the function that parses 
the Received headers. it puts the relays in one of the X-Foo-Relays 
meta heatders (trusted, Untrusted, Internal, External).


but if you do what you intend to do, be cautious:
- SA is about heuristics: it doesn't say that a message is spam or 
not. it gives you a score. this may be right. this may be wrong.

- if your trust path is misconfigured, the results may be arbitrary
- you can get spam from "good" relays (mailing lists, subscribed to 
newsletters, ... etc).


it is safer to use the results as a "reputation measure" instead of 
directly feeding a blacklist.



This is probably not a right piece of source where to place this 
feature.
I'm not a Perl programmer nor SA expert, so has anyone with more 
experience some idea, how to log spammers remote IPs? Thanks.


if you don't want to code anything, just configure SA to add its meta 
headers (you only need the untrusted relays header) then when you 
deliver the message, use an MDA that can log this header (maildrop, 
procmail, or even a silly shell script with a 'grep -m 1 
"^X-Untrusted-Relays:"' call).