Hello list, I'm a happy long-time user of SA, and just upgraded a mail server from Debian 8 "jessie" to Debian 9 "stretch", and in turn upgraded SA from 3.4.0 to 3.4.1. The upgrade was smoothe, other than some irrelevant breakage with FuzzyOCR¹, however there's been an enormous increase in syslog messages that I've been combating, and I cannot find the root cause.
Upon upgrading to SA 3.4.1, each email scanned is emitting the following
message to syslog:
spamd[32137]: rules: meta test FREEMAIL_FORGED_FROMDOMAIN has dependency
'HEADER_FROM_DIFFERENT_DOMAINS' with a zero score
After a bit of searching, I gave up and simply added the following line
to /etc/spamassassin/local.cf:
score HEADER_FROM_DIFFERENT_DOMAINS 0.001
Now a week later, a simlar set of 'meta test ... with a zero score'
syslog messages have appeared:
spamd[31552]: rules: meta test __FORM_FRAUD_3 has dependency 'LOTTO_AGENT'
with a zero score
spamd[31552]: rules: meta test __MONEY_FRAUD_3 has dependency 'LOTTO_AGENT'
with a zero score
spamd[31552]: rules: meta test __FORM_FRAUD_5 has dependency 'LOTTO_AGENT'
with a zero score
spamd[31552]: rules: meta test __ADVANCE_FEE_4_NEW has dependency
'LOTTO_AGENT' with a zero score
spamd[31552]: rules: meta test __MONEY_FRAUD_8 has dependency 'LOTTO_AGENT'
with a zero score
spamd[31552]: rules: meta test __ADVANCE_FEE_2_NEW has dependency
'LOTTO_AGENT' with a zero score
spamd[31552]: rules: meta test __MONEY_FRAUD_5 has dependency 'LOTTO_AGENT'
with a zero score
spamd[31552]: rules: meta test __ADVANCE_FEE_3_NEW has dependency
'LOTTO_AGENT' with a zero score
spamd[31552]: rules: meta test __ADVANCE_FEE_5_NEW has dependency
'LOTTO_AGENT' with a zero score
spamd[31552]: rules: meta test __FORM_FRAUD has dependency 'LOTTO_AGENT' with
a zero score
Looking at the timestamps of /var/lib/spamassassin/3.004001 files
reveals that there was an sa-update this morning, minutes before the
warning messages began.
Now I suppose I'll add another line to local.cf ("score LOTTO_AGENT
0.001"), but this doesn't feel right - this server has been setup for
ten+ years, has been through four or five Debian stable upgrades, and
the corresponding SA upgrades, and in all these years SA has been low
maintenance.
What could be the cause?
- Cruft left behind by old SA versions
(e.g. /etc/spamassassin/v310.pre, /var/lib/spamassassin/3.003001,
etc.)?
- Is there a bug with the project's sa-update channel / auto-
mass-check setup?
- Configuration for sa-update's channels seems rather sparse, and I
see no evidence that I'm using anything other than the
defaults. Could I be pulling from the wrong channel?
FWIW my local.cf is pretty boring, a bit of bayes configuration,
trusted_networks and shortcircuit options. On a per-user basis there
are a few odd custom rules, but nothing hitting this "money" and/or
freemail stuff.
I ran “spamassassin -D --lint” and it only reported dbg messages, none
of which contained "LOTTO_AGENT".
I also manually ran “su debian-spamd -c "sa-update --refreshmirrors -D
channel,gpg,http --gpghomedir /var/lib/spamassassin/sa-update-keys"”,
which is normally handled by Debian's cron.daily script, and it's output
was clean:
Jun 15 16:25:55.464 [3027] dbg: gpg: Searching for 'gpg'
Jun 15 16:25:55.464 [3027] dbg: gpg: found /usr/bin/gpg
Jun 15 16:25:55.464 [3027] dbg: gpg: release trusted key id list:
0C2B1D7175B852C64B3CDC716C55397824F434CE
5E541DC959CB8BAC7C78DFDC4056A61A5244EC45
Jun 15 16:25:55.465 [3027] dbg: channel: attempting channel
updates.spamassassin.org
Jun 15 16:25:55.465 [3027] dbg: channel: using existing directory
/var/lib/spamassassin/3.004001/updates_spamassassin_org
Jun 15 16:25:55.465 [3027] dbg: channel: channel cf file
/var/lib/spamassassin/3.004001/updates_spamassassin_org.cf
Jun 15 16:25:55.465 [3027] dbg: channel: channel pre file
/var/lib/spamassassin/3.004001/updates_spamassassin_org.pre
Jun 15 16:25:55.466 [3027] dbg: channel: metadata version = 1798658, from
file /var/lib/spamassassin/3.004001/updates_spamassassin_org.cf
Jun 15 16:25:55.561 [3027] dbg: channel: current version is 1798658, new
version is 1798658, skipping channel
Any ideas?
¹ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808572
--
Gerald Turner <gtur...@unzane.com> Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
signature.asc
Description: PGP signature
