Howdy -- I've seen a few mentions of BAYES_99 problems on the list
over the past month or two, but nothing that reflects what I
discovered was going on tonight on my system; I'm hoping someone can
help! The executive summary is that every message on my system was
hitting BAYES_99, and I deduced finally that spamd was using the
bayes tokens for the "nobody" user even when it was successfully
being passed another user's ID to use.
First, as the inciting event: two nights ago, I upgraded from
Spamassassin 3.1.0 to 3.2.1 (damn Ubuntu 6.06, which *still* is stuck
at 3.1.0, hence me compiling and deploying 3.2.1 for myself).
Now, I have filters set up so that mail scoring more than 5.0 gets
thrown into users' spam folders, and tonight, one of my users
mentioned that a few more messages than normal were making it into
her spam folder. I looked into it, and saw that all the false
positive messages were hitting the BAYES_99 rule, and with further
investigation, saw that *every* message coming through my mail system
was hitting BAYES_99. I started debugging, and saw that spamd was
running as root (as intended by me), and was being successfully
passed the correct user by Postfix when it was passing the messages
onto spamc to run through spamd; my spamd log showed something akin
to this for each message:
Wed Jun 13 19:40:19 2007 [2404] info: spamd: connection from
localhost [127.0.0.1] at port 39765
Wed Jun 13 19:40:19 2007 [2404] warn: spamd: still running as root:
user not specified with -u, not found, or set to root, falling back
to nobody
Wed Jun 13 19:40:19 2007 [2404] info: spamd: processing message
<[EMAIL PROTECTED]> for rachel:65534
Wed Jun 13 19:40:21 2007 [2404] info: spamd: identified spam
(6.5/5.0) for rachel:65534 in 2.0 seconds, 6275 bytes.
Wed Jun 13 19:40:21 2007 [2404] info: spamd: result: Y 6 -
AWL,BAYES_99,HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_DYNAMI
C
scantime=2.0,size=6275,user=rachel,uid=65534,required_score=5.0,rhost=lo
calhost,raddr=127.0.0.1,rport=39765,mid=<[EMAIL PROTECTED]
s2.jtgservers.com>,bayes=1.000000,autolearn=no
As you can see from that, I'm getting a spamd warning that it's
running as root and falling back to nobody, but it specifically also
says that it's identified the user as "rachel" and is processing it
as her -- and that it's hitting the BAYES_99 rule.
I then did a "sa-learn -u rachel --clear", verified that it cleared
the bayes tokens, learned a piece of ham as the user rachel (to re-
establish her bayes token database), and used spamd again to send the
same message as above through spamd as rachel (spamc -u rachel <
message.raw > message.out); again, I got the same hit on BAYES_99.
I then did a "sa-learn -u root --clear" and ran it again, and again
hit BAYES_99.
Finally, I did a "sa-learn -u nobody --clear" and ran it again, and
BAYES_99 was gone. Looking at all the messages streaming through
spamd, BAYES_99 was no longer being hit for them all, so clearly it
was the nobody user that was causing the issue.
My question is: WHY?!? According to all the logging I could get,
spamd was clearly seeing that the user passed in was "rachel"; where
did "nobody" come into it?
As I said before, I was seeing this behavior running spamc directly
(using the -u option to specify the user), so I can't imagine that my
MTA enters into the problem; just in case, though, I'm running
Postfix, and it calls spamc with the following argv argument in my
master.cf file:
/usr/bin/spamc -u ${user} -e /usr/sbin/sendmail -oi -f ${sender} $
{recipient}
Spamd is running daemonized, with the following options:
spamd --max-children=10 -d -x -q -i 127.0.0.1 -A
209.10.108.198,204.193.152.163,192.168.1.163,127.0.0.1
I'm using MySQL for my user prefs and bayes token databases; I know
that the DB connection is working, because my user whitelist prefs
are firing on appropriate emails, and when I issued the "sa-learn --
clear" commands, I could see the MySQL process running in the
processlist clearing out the appropriate DB entries.
What could be going on? Thanks for any insight you might have!
Jason Levine
