On Wed, 2009-07-01 at 01:15 +0200, Michelle Konzack wrote:
> Am 2009-06-30 14:08:33, schrieb John Hardin:
> > If zen worked to catch the message in procmail, how does it not work on
> > your MTA? Or did we misinterpret your original post?
>
> In Debian, the network related scans are activated and I do not know,
> why ZEN is never executed. If you know more about the "Debian Lenny"
> version of spamassassin, maybe you can point me into the right direction
> where to search.
>
> Note: On my "Debian Etch" installation it is working
>
> Thanks, Greetings and nice Day/Evening
> Michelle Konzack
> Systemadministrator
> Tamay Dogan Network
> Debian GNU/Linux Consultant
>
First of all, I don't use ZEN in SA. My personal feeling is I want to
get rid of spam at the earliest possible stage. I block anything on
these lists at the MTA level;
zen.spamhaus.org
dnsbl.sorbs.net
b.barracudacentral.org
There are differing political views about this, but it is the method
found in the top selling anti-spam appliance, so hence I'm happy to use
it. How you would implement this depends on the MTA.
Moving specifically to SpamAssassin on Debian. Look at the contents of
these (adjusting the path where necessary);
/etc/spamassassin/init.pre
(just to make sure there is nothing killing the network tests in here)
And then check the basic config file;
/etc/spamassassin/local.cf
In particular
# Enable or disable network checks
skip_rbl_checks 0
0 = off 1 = on
My understanding is even if you get an RBL hit it's only going to up the
score of the mail. So you are, essentially, scanning spam if you do it
this way. However, some people like the safety blanket of scanning
hundreds of thousands of spam messages in case there may one day be a
false positive :-)
If this does not throw light onto your problem Michelle I would do a
couple of very basic sanity checks on your DNS system *from* the box
running SA. Randomly from my logs I've picked a IP address blocked by
ZEN in the last hour (for testing) EG
Jul 1 06:23:25 Rejected; blocked by zen.spamhaus.org 84.108.206.164
So from a command prompt (assuming you have dig installed) look for an
ANSWER section on in reply to this query)
dig 164.206.108.84.zen.spamhaus.org
EG;
;; ANSWER SECTION:
164.206.108.84.zen.spamhaus.org. 472 IN A 127.0.0.10
164.206.108.84.zen.spamhaus.org. 472 IN A 127.0.0.4
Means you have a sane reply and the IP is blacklisted but of equal
importance is the time in which it takes to serve the request;
;; Query time: 3 msec
Anything much over a couple of hundred msecs would not be ideal, into
the thosands (1000+) and you have a problem.
If you don't get any result to this, or the result is hideously slow,
then you need to fix the DNS issue. This is not uncommon and usually
centres around firewall policy.
If it fails, btw, this is also worth a try;
dig @4.2.2.2 164.206.108.84.zen.spamhaus.org
dig @4.2.2.3 164.206.108.84.zen.spamhaus.org
and see if the issue is local DNS.
(AFAIR dig is part of dns utils if it is not already on the box but
check that: apt-get install dnsutils)
