Ed Russell wrote:
I have to say a heartfelt THANK YOU to everyone who contributed to this
thread. My filter is working 500% more efficient that it ever was. I have
done the following:
1. Installed djbdns and I am using dnscache as I was told. I have
increased the cache size to 100 Megabytes and completely disabled logging
after determining it was working properly.
2. I have implemented rbl at the MTA level, I use relays.ordb.org and
sbl-xbl.spamhaus.org.
3. I have implemented Rules Du Jour. I selected a subset of the SARE
rules and misc others.
4. I have turned back on pyzor, razor and dcc.
Scanning times are well within tolerance with a minimal impact on delivery
time. See below (email addresses removed for privacy):
Feb 11 16:10:18 as spamd[4137]: spamd: identified spam (31.3/4.0) for
[EMAIL PROTECTED] :99 in 4.5 seconds, 1178 bytes.
Feb 11 16:10:18 as spamd[363]: spamd: clean message (1.2/4.0) for
[EMAIL PROTECTED] :99 in 3.1 seconds, 8939 bytes.
Feb 11 16:10:19 as spamd[4218]: spamd: clean message (0.0/4.0) for
[EMAIL PROTECTED] :99 in 5.4 seconds, 2245 bytes.
I have some final questions though,
a. Can I get any statistics from rblsmtpd (I know this isn't a group
devoted to it, but I figured I would ask)? I would like to know how many
got dropped and from where.
I don't use it anymore as my qmail toasters are not allowed traffic from
the outside, only from my MailScanner servers. I run Sendmail and do my
rbl checks there. But I would think this would get you a quick count,
#cd /var/log/qmail/smtpd/
#cat current [EMAIL PROTECTED] | grep rblsmtpd | wc -l
#cat current [EMAIL PROTECTED] | grep relays.ordb.org | wc -l
#cat current [EMAIL PROTECTED] | grep sbl-xbl.spamhaus.org | wc -l
Script from there forward and you can gleen just about as much as you
care to sift through. awk, sed, Ruby, or Perl are your friends there.
You can check access times on the logs to make sure you are checking
today's or yesterday's logs.
b. Does anyone have any utilities to get statistics from SA? Such as
what rules triggered spam etc etc. I have seen some posts with some
interesting looking reports. Currently I only use a hacked together script
I wrote to give me the raw amount of spam caught per day which greps
"identified spam" on maillog and then gives me a wc -l.
I see that has been answered already.
Once again, thanks so much to everyone. This group is simply amazing.
I second that!
DAve
Ed
-----Original Message-----
From: DAve [mailto:[EMAIL PROTECTED]
Sent: Friday, February 10, 2006 1:19 PM
To: users@spamassassin.apache.org
Subject: Re: General assistance
Ed Russell wrote:
User validation is going to be tough or all but impossible. This box
forwards off the mail to an NT box running SL Mail. There is no easy way
to
get a userlist out of this product. In addition the users change daily
and
some even use multi-drops.
You don't need to get a user list, you just need to ask the destination
server if the user exists before accepting the message. This is what
milter-ahead does on my MailScanner servers. I process and forward to
servers running qmail(my toasters) and Exchange, GroupMail, Groupwise,
Sendmail(my clients servers). All respond correctly to milter-ahead. I
do not know of a way to duplicate milter-ahead in qmail without
requiring something like vpopmail or LDAP.
Did you look at using dnscache? That might buy you enough breathing room
to shop around for a solution to user verification.
DAve
Ed
---------------------------------------------------
Talk is cheap since supply always exceeds demand.
---------------------------------------------------
-----Original Message-----
From: DAve [mailto:[EMAIL PROTECTED]
Sent: Friday, February 10, 2006 12:39 PM
To: users@spamassassin.apache.org
Subject: Re: General assistance
Ed Russell wrote:
[EMAIL PROTECTED] smtpd]# spamassassin --version
SpamAssassin version 3.1.0
running on Perl version 5.8.7
Spamd running with:
OPTIONS="-L -x -d -u nobody -m 45"
No user verification or RBL at the MTA level.
Absolutely do user verification. I can throw out from 20% to 80% of my
traffic depending on the current level of dictionary and Joe-Job
attacks. Since you are processing ahead of your clients Exchange boxes
I'm not sure how you can do that with qmail. I do it on my gateways
running MailScanner via milter-ahead, and on my toasters via checkuser
in vpopmail.
There might be a way to get qmail to check with an Exchange box to
validate a user without running vpopmail, but I won't know it.
DAve
12:20pm up 4:05, 1 user, load average: 9.49, 9.23, 9.23
313 processes: 300 sleeping, 12 running, 1 zombie, 0 stopped
CPU states: 18.9% user, 16.6% system, 0.0% nice, 64.4% idle
Mem: 2009856K av, 711560K used, 1298296K free, 353776K shrd, 129268K
buff
Swap: 2097136K av, 0K used, 2097136K free 225380K
cached
As you can see I have loads of head room as far as memory goes. I was
looking into integrating RBL into Qmail, but with the very high volume I
am
quite concerned that this will introduce a slowdown. If I increase the
inbound concurrent rate I eventually run into qmail-scanner problems with
reformime. Is there anything else I need consider?
Ed
---------------------------------------------------
Talk is cheap since supply always exceeds demand.
---------------------------------------------------
-----Original Message-----
From: Kristopher Austin [mailto:[EMAIL PROTECTED]
Sent: Friday, February 10, 2006 12:06 PM
To: [EMAIL PROTECTED]; users@spamassassin.apache.org
Subject: RE: General assistance
-----Original Message-----
From: Ed Russell [mailto:[EMAIL PROTECTED]
Sent: Friday, February 10, 2006 10:51 AM
To: users@spamassassin.apache.org
Subject: General assistance
Am I completely off base in the way I have this all setup? I have
went
with
a higher speed HD to increase the threshold on file I/O. Can I tune
the
performance of razor etc while maintaining delivery time? Is there
anything
else I should be considering? If I have not explained things well or
more
information is needed I will certainly provide anything.
A few questions I have:
What SA version are you running? spamassassin --version
What do you have --max-children set to?
How much memory do you have free when the box is fully loaded?
I'm trying to see if you have any headroom left to have more spamd
children running. It sounds like your problem is with waiting on DNS
returns. This should mean that you have plenty of processing power
remaining just not enough children to handle the requests.
Other things to consider:
Do you use RBLs at the MTA level?
Do you have user verification at the MTA level?
Look for messages your MTA can drop before sending to SA.
Kris
