[SAtalk] SpamAssassin with Pyzor & DCC using Qmail-Scanner

[Matthew Edward Porter]

Greetings.  I apologize if this has been asked before or if there is
documentation on this subject.  I was unable to find any via Google or mail
archives.

I currently have qmail-scanner installed with ClamAV and SpamAssassin.  All
the components are working properly.  Clamd and spamd is running as service
daemons.  Clam is working perfectly.  SpamAssassin's internal checker is
working perfectly.  Both are being called correctly from qmail-scanner.

I would like to step up SpamAssasssin's accuracy by utilizing Pyzor & DCC
but am having sincere difficulty.  The problem is that SA is not performing
the Pyzor & DCC checks when using QS.  It works perfectly when I execute it
on the shell using:

spamassassin -P -t -D < 1062735534.19025.morpheus


Below is a good chunk of information from log and configuration files.
Anybody have any guesses, theories, and/or ideas?  Thanks in advance!


Cheers,
   matthew




VERSIONS
Qmail-Scanner: 1.20rc3
ClamAV: 0.60
SpamAssassin: 2.55


/etc/mail/spamassassin/local.cf
skip_rbl_checks 1
required_hits 5
auto_report_threshold 30
rewrite_subject 0
report_header 1
use_terse_report 1
defang_mime 0
dns_available yes
use_dcc 1
dcc_add_header 1
use_pyzor 1
pyzor_add_header 1
always_add_report 1


SPAMASSASSIN LOG
2003-09-05 16:01:24.630841500 logmsg: connection from localhost [127.0.0.1]
at port 43656
2003-09-05 16:01:24.645354500 logmsg: processing message
<[EMAIL PROTECTED]> for qscand:351.
2003-09-05 16:01:24.649457500 debug: bayes: 29889 tie-ing to DB file R/O
/opt/spamassassin/.spamassassin/bayes_toks
2003-09-05 16:01:24.650583500 debug: bayes: 29889 tie-ing to DB file R/O
/opt/spamassassin/.spamassassin/bayes_seen
2003-09-05 16:01:24.651115500 debug: debug: Only 1 spam(s) in Bayes DB < 200
2003-09-05 16:01:24.651174500 debug: bayes: 29889 untie-ing
2003-09-05 16:01:24.651203500 debug: bayes: 29889 untie-ing db_toks
2003-09-05 16:01:24.651455500 debug: bayes: 29889 untie-ing db_seen
2003-09-05 16:01:24.651856500 debug: running header regexp tests; score so
far=0
2003-09-05 16:01:24.663326500 debug: running body-text per-line regexp
tests; score so far=0
2003-09-05 16:01:24.679329500 debug: running raw-body-text per-line regexp
tests; score so far=0
2003-09-05 16:01:24.679949500 debug: running uri tests; score so far=0
2003-09-05 16:01:24.680139500 debug: uri tests: Done uriRE
2003-09-05 16:01:24.680868500 debug: running full-text regexp tests; score
so far=0
2003-09-05 16:01:24.682803500 debug: all '*From' addrs: [EMAIL PROTECTED]
2003-09-05 16:01:24.683607500 debug: all '*To' addrs:
[EMAIL PROTECTED]
2003-09-05 16:01:24.683961500 debug: forged_rcvd_trail: entry 0:
by=metissian.com from=(undef) mismatches=0
2003-09-05 16:01:24.684026500 debug: forged_rcvd_trail: entry 1: by=mac.com
from=mac.com mismatches=0
2003-09-05 16:01:24.686975500 debug: running meta tests; score so far=0
2003-09-05 16:01:24.687722500 debug: auto-learn? safety=4, ham=-2, spam=15,
body-hits=0, head-hits=0
2003-09-05 16:01:24.687749500 debug: auto-learn: currently using scoreset 0.
no need to recompute.
2003-09-05 16:01:24.687769500 debug: auto-learn? no: inside auto-learn
thresholds or safety zone around required_hits
2003-09-05 16:01:24.687857500 debug: is spam? score=0 required=5
tests=USER_AGENT_APPLEMAIL
2003-09-05 16:01:24.692358500 logmsg: clean message (0.0/5.0) for qscand:351
in 0.1 seconds, 137145 bytes.
2003-09-05 16:01:24.692653500 debug: bayes: 29889 untie-ing


QMAIL-SCANNER LOG
Fri, 05 Sep 2003 16:01:24 -0500:29880: +++ starting debugging for process
29880 by uid=89 at Fri, 05 Sep 2003 16:01:24 -0500
Fri, 05 Sep 2003 16:01:24 -0500:29880: setting UID to EUID so subprocesses
can access files generated by this script
Fri, 05 Sep 2003 16:01:24 -0500:29880: program name is
qmail-scanner-queue.pl, version 1.20rc3
Fri, 05 Sep 2003 16:01:24 -0500:29880: incoming SMTP connection from via
smtp from 17.250.248.89
Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: mkdir
/var/spool/qmailscan/morpheus106279568445629880
Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: start dumping incoming msg into
/var/spool/qmailscan/working/tmp/morpheus106279568445629880
[1062795684.26177]
Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: primary Content-Type of
multipart/mixed found
Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: found a top-level boundary
definition of Apple\-Mail\-6\-736610710
Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: attachment  1: Content-Type of
text/plain found
Fri, 05 Sep 2003 16:01:24 -0500:29880: found C-T attachment filename
clamdoc.pdf
Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: attachment  2: Content-Type of
application/pdf found
Fri, 05 Sep 2003 16:01:24 -0500:29880: w_c: rename new msg from
/var/spool/qmailscan/working/tmp/morpheus106279568445629880 to
/var/spool/qmailscan/working/new/morpheus106279568445629880
[1062795684.59236]
Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: starting
/usr/local/bin/reformime  -x/var/spool/qmailscan/morpheus106279568445629880/
</var/spool/qmailscan/working/new/morpheus106279568445629880
[1062795684.59263]
Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: finished
/usr/local/bin/reformime  -x/var/spool/qmailscan/morpheus106279568445629880/
[1062795684.6086]
Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: Checking all attachments to see
if they're MS-TNEF
Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: is
/var/spool/qmailscan/morpheus106279568445629880/clamdoc.pdf is a TNEF file?:
256 [1062795684.61052]
Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: is
/var/spool/qmailscan/morpheus106279568445629880/1062795684.29882-0.morpheus
is a TNEF file?: 256 [1062795684.61237]
Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: Manually unpack any zip files as
some virus scanners don't do zip under Unix!
Fri, 05 Sep 2003 16:01:24 -0500:29880: d_m: unpacking message took 0.02006
seconds
Fri, 05 Sep 2003 16:01:24 -0500:29880: unsetting QMAILQUEUE env var
Fri, 05 Sep 2003 16:01:24 -0500:29880: g_e_h: return-path is
"[EMAIL PROTECTED]", recips is "[EMAIL PROTECTED]"
Fri, 05 Sep 2003 16:01:24 -0500:29880: from="Matthew E. Porter"
<[EMAIL PROTECTED]>,subj=pyzor/dcc test 1,
x-qmail-scanner-message-id=<[EMAIL PROTECTED]>
via smtp from 17.250.248.89
Fri, 05 Sep 2003 16:01:24 -0500:29880: ini_sc: start scanning
Fri, 05 Sep 2003 16:01:24 -0500:29880: ini_sc: recursively scan the
directory /var/spool/qmailscan/morpheus106279568445629880/
Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop: starting scan of directory
"/var/spool/qmailscan/morpheus106279568445629880"...
Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop:
scanner=clamuko_scanner,plain_text_msg=0
Fri, 05 Sep 2003 16:01:24 -0500:29880: clamuko: starting scan of directory
"/var/spool/qmailscan/morpheus106279568445629880"...
Fri, 05 Sep 2003 16:01:24 -0500:29880: run /opt/clamav/bin/clamdscan -r
--disable-summary --max-recursion=10 --max-space=1000000
/var/spool/qmailscan/morpheus106279568445629880 2>&1
Fri, 05 Sep 2003 16:01:24 -0500:29880: --output of clamuko was:
/var/spool/qmailscan/morpheus106279568445629880: OK
--
Fri, 05 Sep 2003 16:01:24 -0500:29880: clamuko: finished scan of dir
"/var/spool/qmailscan/morpheus106279568445629880" in 0.010678 secs
Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop:
scanner=spamassassin,plain_text_msg=0
Fri, 05 Sep 2003 16:01:24 -0500:29880: SA: run /usr/bin/spamc  -f <
/var/spool/qmailscan/working/new/morpheus106279568445629880
Fri, 05 Sep 2003 16:01:24 -0500:29880: SA: overwriting
/var/spool/qmailscan/working/new/morpheus106279568445629880 with
/var/spool/qmailscan/working/new/morpheus106279568445629880.spamc
Fri, 05 Sep 2003 16:01:24 -0500:29880: spamassassin: finished scan of dir
"/var/spool/qmailscan/morpheus106279568445629880" in 0.085642 secs
Fri, 05 Sep 2003 16:01:24 -0500:29880: scanloop: finished scan of
"/var/spool/qmailscan/morpheus106279568445629880"...
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: starting scan of directory
"/var/spool/qmailscan/morpheus106279568445629880"...
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  '81:ILOVEYOU' = 'Virus-subject'
= 'Love Letter Virus/Trojan'
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  type is a header!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  checking for objects containing
subject: ILOVEYOU
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  '82:message/partial.*' =
'Virus-content-type' = 'Message/partial MIME attachments blocked by policy'
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  type is a header!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  checking for objects containing
content-type: message/partial.*
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  '85:.{100,}' = 'Virus-date' =
'MIME Header Buffer Overflow'
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  type is a header!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  checking for objects containing
date: .{100,}
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  '86:.{100,}' =
'Virus-mime-version' = 'MIME Header Buffer Overflow '
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  type is a header!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  checking for objects containing
mime-version: .{100,}
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  '87:.{100,}' =
'Virus-resent-date' = 'MIME Header Buffer Overflow'
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  type is a header!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  checking for objects containing
resent-date: .{100,}
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:
'90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
e.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|JGQZC
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|cxkawog@
krovatka.net|[EMAIL PROTECTED]' = 'Virus-to' = 'BadTrans Trojan exploit!'
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  type is a header!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  checking for objects containing
to: 
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
m|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
cite.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
atka.net|[EMAIL PROTECTED]
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  'eicar.com' = '69' = 'EICAR
Test Virus'
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a size!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  'happy99.exe' = '10000' =
'Happy99 Trojan'
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a size!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  'zipped_files.exe' = '120495' =
'W32/ExploreZip.worm.pak virus'
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: type is a size!
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking clamdoc.pdf against
perlscanner database...
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: file clamdoc.pdf is lowercased
to clamdoc.pdf and has extension .pdf
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: compare clamdoc.pdf against
perlscanner database
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: skipping auto-generated file
1062795684.29882-0.morpheus
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: checking clamdoc.pdf against
perlscanner database...
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: file clamdoc.pdf is lowercased
to clamdoc.pdf and has extension .pdf
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s: compare clamdoc.pdf against
perlscanner database
Fri, 05 Sep 2003 16:01:24 -0500:29880: p_s:  finished scan of dir
"/var/spool/qmailscan/morpheus106279568445629880" in 0.002922 secs
Fri, 05 Sep 2003 16:01:24 -0500:29880: ini_sc: scanning message took
0.099788 seconds
Fri, 05 Sep 2003 16:01:24 -0500:29880: q_r: fork off child into
/var/qmail/bin/qmail-queue...
Fri, 05 Sep 2003 16:01:24 -0500:29890: q_r: xstatus=0
Fri, 05 Sep 2003 16:01:24 -0500:29880: cleanup: /bin/rm -rf
/var/spool/qmailscan/morpheus106279568445629880/
/var/spool/qmailscan/working/new/morpheus106279568445629880
05/09/2003 16:01:24:29880: all finished. Total of 0.563409 secs



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk