Hello,
I've set SA_DELETE to 5 in my qmail-scanner.ini however I still get messages with high scores in my mailbox.
What I might be missing?
Thank you
SA_DELETE not working
-
jrfernandes
- New Forum User
- Posts: 4
- Joined: Sat Dec 15, 2007 10:22 pm
it's strage, I have changed /etc/mail/spamassassin/local.cf from 7 to 5 (both required_hits and required_score) and in my mail headers I still get the minimum as 7
What I've done was:
# /etc/rc.d/init.d/psa-spamassassin stop
# service clamd stop
# service qmail stop
- change local.cf to 5 (required_hits and required_score)
- change SA_DELETE=5 in qmail-scanner.ini
# qmail-scanner-reconfigure
# /etc/rc.d/init.d/psa-spamassassin start
# service clamd start
# service qmail start
I'm getting spam marked as spam, however, beeing required_hits=5 and SA_DELETE=5, everything superior to 10 should be deleted, right?
Here's one header:
Subject: [SPAM] To: joel
From: Glenn Murphy <oscar@navyparty.com>
Reply-To: oscar@navyparty.com
Date: 01:42 PM
To: joel@digital-work.com
X-Account-Key: account2
X-UIDL: UID17841-1139044789
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Return-Path: <oscar@navyparty.com>
Delivered-To: 44-joel@digital-work.com
X-Spam-Flags: YES
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on ds9.serverchoice.com
X-Spam-Level: *****************
X-Spam-Status: Yes, score=17.4 required=7.0 tests=ALL_TRUSTED,BAYES_50, DIGEST_MULTIPLE,HTML_IMAGE_ONLY_08,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1, INVALID_DATE,MIME_HTML_ONLY,PART_CID_STOCK,PART_CID_STOCK_LESS,PYZOR_CHECK, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, T_TVD_FW_GRAPHIC_ID1,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL,URIBL_WS_SURBL autolearn=spam version=3.2.3
X-Spam-Report: * -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP * 1.2 INVALID_DATE Invalid Date: header (not RFC 2822) * 0.0 T_TVD_FW_GRAPHIC_ID1 BODY: T_TVD_FW_GRAPHIC_ID1 * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.8 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5002] * 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level * above 50% * [cf: 100] * 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% * [cf: 100] * 3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) * 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: kugmgov.com] * 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: kugmgov.com] * 1.5 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: kugmgov.com] * 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: kugmgov.com] * 0.0 DIGEST_MULTIPLE Message hits more than one network digest check * 1.6 PART_CID_STOCK Has a spammy image attachment (by Content-ID) * 0.4 PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, * more specific) * 0.0 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image
Received: (qmail 14167 invoked by uid 10071); 16 Dec 2007 13:35:10 +0000
Received: from 127.0.0.1 (sendmail-bs@127.0.0.1) by ds9.serverchoice.com (envelope-from <oscar@navyparty.com>, uid 0) with qmail-scanner-2.01st (clamdscan: 0.91.2/5140. spamassassin: 3.2.3. perlscan: 2.01st. Clear:RC:1(127.0.0.1):. Processed in 0.049517 secs); 16 Dec 2007 13:35:10 -0000
Received: from localhost (HELO 6954688c40334fd) (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Dec 2007 13:35:04 +0000
Received: from [84.47.118.5] by smtp.secureserver.net; , 16 Dec 2007 14:42:28 +0100
X-Mailer: The Bat! (v3.0.1.33) Home
X-Priority: 3 (Normal)
Message-ID: <000770328.20532790512747@navyparty.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------925842584016E1DA"
X-Spam-Prev-Subject: To: joel
What I've done was:
# /etc/rc.d/init.d/psa-spamassassin stop
# service clamd stop
# service qmail stop
- change local.cf to 5 (required_hits and required_score)
- change SA_DELETE=5 in qmail-scanner.ini
# qmail-scanner-reconfigure
# /etc/rc.d/init.d/psa-spamassassin start
# service clamd start
# service qmail start
I'm getting spam marked as spam, however, beeing required_hits=5 and SA_DELETE=5, everything superior to 10 should be deleted, right?
Here's one header:
Subject: [SPAM] To: joel
From: Glenn Murphy <oscar@navyparty.com>
Reply-To: oscar@navyparty.com
Date: 01:42 PM
To: joel@digital-work.com
X-Account-Key: account2
X-UIDL: UID17841-1139044789
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Return-Path: <oscar@navyparty.com>
Delivered-To: 44-joel@digital-work.com
X-Spam-Flags: YES
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on ds9.serverchoice.com
X-Spam-Level: *****************
X-Spam-Status: Yes, score=17.4 required=7.0 tests=ALL_TRUSTED,BAYES_50, DIGEST_MULTIPLE,HTML_IMAGE_ONLY_08,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1, INVALID_DATE,MIME_HTML_ONLY,PART_CID_STOCK,PART_CID_STOCK_LESS,PYZOR_CHECK, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, T_TVD_FW_GRAPHIC_ID1,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL,URIBL_WS_SURBL autolearn=spam version=3.2.3
X-Spam-Report: * -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP * 1.2 INVALID_DATE Invalid Date: header (not RFC 2822) * 0.0 T_TVD_FW_GRAPHIC_ID1 BODY: T_TVD_FW_GRAPHIC_ID1 * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.8 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5002] * 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level * above 50% * [cf: 100] * 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% * [cf: 100] * 3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) * 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: kugmgov.com] * 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: kugmgov.com] * 1.5 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: kugmgov.com] * 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: kugmgov.com] * 0.0 DIGEST_MULTIPLE Message hits more than one network digest check * 1.6 PART_CID_STOCK Has a spammy image attachment (by Content-ID) * 0.4 PART_CID_STOCK_LESS Has a spammy image attachment (by Content-ID, * more specific) * 0.0 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image
Received: (qmail 14167 invoked by uid 10071); 16 Dec 2007 13:35:10 +0000
Received: from 127.0.0.1 (sendmail-bs@127.0.0.1) by ds9.serverchoice.com (envelope-from <oscar@navyparty.com>, uid 0) with qmail-scanner-2.01st (clamdscan: 0.91.2/5140. spamassassin: 3.2.3. perlscan: 2.01st. Clear:RC:1(127.0.0.1):. Processed in 0.049517 secs); 16 Dec 2007 13:35:10 -0000
Received: from localhost (HELO 6954688c40334fd) (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Dec 2007 13:35:04 +0000
Received: from [84.47.118.5] by smtp.secureserver.net; , 16 Dec 2007 14:42:28 +0100
X-Mailer: The Bat! (v3.0.1.33) Home
X-Priority: 3 (Normal)
Message-ID: <000770328.20532790512747@navyparty.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------925842584016E1DA"
X-Spam-Prev-Subject: To: joel
-
jrfernandes
- New Forum User
- Posts: 4
- Joined: Sat Dec 15, 2007 10:22 pm
-
jrfernandes
- New Forum User
- Posts: 4
- Joined: Sat Dec 15, 2007 10:22 pm
Were you ever able to sort out what was happening jrf?
Just yesterday I installed Scott's rpm's (clamd razor-agents dcc and pyzor, along with qmail-scanner) that I found in another thread. I'm getting exactly the same thing if I try to set SA_DELETE in the qmail-scanner.ini file, at least with some of my addresses.
One thing I did notice in the maillog that is bound to have something to do with it.
If I read the above correctly, qscand is looking in a non-existent location for the user_prefs. Which would explain why the high hit spam is getting through. The odd part is other email addresses of mine show the correct path to that email address' user_prefs.
I've got a bit of a different situation I think, because the original email address in the To: string is actually nothing more than one that then redirects out to myself and another person, so has no SpamAssassin set up currently. I think that may be causing my problem, since this first email address is also whitelisted in my 2nd address where I actually read the mail.
I'm was going to try enabling SA on the first "public" address to see if that did the trick, but since technically there is no mailbox there Plesk won't let me enable SA. I'm betting that would do the trick though. Instead I guess I'll let the spam be "delivered" there, and simply stop whitelisting that public email address in the one I actually use. Hopefully that'll cut the spam off before it gets to me. Though it would be nice if there were a way to enable SA for those placeholder email addresses that then forward on to a group of real email addresses.
I don't suppose you have a similar setup where your high hit email is actually coming through another address first, do you?
Does that sort of convoluted process that's letting the spam through make sense to you Scott? I'm playing a hunch, but it does make some sense.
Just yesterday I installed Scott's rpm's (clamd razor-agents dcc and pyzor, along with qmail-scanner) that I found in another thread. I'm getting exactly the same thing if I try to set SA_DELETE in the qmail-scanner.ini file, at least with some of my addresses.
One thing I did notice in the maillog that is bound to have something to do with it.
Code: Select all
Dec 30 12:47:53 serv spamd[22059]: Using default config for qscand: /var/qmail/mailnames///.spamassassin/user_prefs
Dec 30 12:47:53 serv spamd[22059]: checking message <20071230114750.3979.qmail@mpool4-233.tsrv.ru> for qscand:110.
Dec 30 12:48:03 serv dccproc[22631]: continue not asking DCC 1663 seconds after failure
Dec 30 12:48:04 serv spamd[22059]: identified spam (14.3/7.0) for qscand:110 in 11.7 seconds, 8953 bytes.
Dec 30 12:48:04 serv spamd[22059]: result: Y 14 - DIET_1,DRUGS_ERECTILE,HTML_FONT_BIG,HTML_MESSAGE,IMPOTENCE,<removed a bunch of stuff to stop the horizontal scroll>I've got a bit of a different situation I think, because the original email address in the To: string is actually nothing more than one that then redirects out to myself and another person, so has no SpamAssassin set up currently. I think that may be causing my problem, since this first email address is also whitelisted in my 2nd address where I actually read the mail.
I'm was going to try enabling SA on the first "public" address to see if that did the trick, but since technically there is no mailbox there Plesk won't let me enable SA. I'm betting that would do the trick though. Instead I guess I'll let the spam be "delivered" there, and simply stop whitelisting that public email address in the one I actually use. Hopefully that'll cut the spam off before it gets to me. Though it would be nice if there were a way to enable SA for those placeholder email addresses that then forward on to a group of real email addresses.
I don't suppose you have a similar setup where your high hit email is actually coming through another address first, do you?
Does that sort of convoluted process that's letting the spam through make sense to you Scott? I'm playing a hunch, but it does make some sense.
/etc/sysconfig/spamassassin
FTR, I did some further checking and the other addresses (or at least the handful I spot checked) are letting through the high hit spam too, so my prior hunch regarding the mailgroup forwarding wasn't necessarily correct.
It would appear SA_DELETE simply isn't deleting. Which I assume is probably a configuration issue on my end.
You don't have to have SA_QUARANTINE enabled to get SA_DELETE to work do you? I didn't really want to quarantine stuff just so it can take up space.
Code: Select all
SPAMDOPTIONS="-d -c -m5 -H"It would appear SA_DELETE simply isn't deleting. Which I assume is probably a configuration issue on my end.
You don't have to have SA_QUARANTINE enabled to get SA_DELETE to work do you? I didn't really want to quarantine stuff just so it can take up space.
No difference Scott. Something is definitely screwy somewhere.
The only way I can apparently get SA to automatically delete messages is to set it to do that in the Plesk cp for that email address. And then it goes off of the hit setting there, not the SA_DELETE in the qmail-scanner.ini file. Which is sort of all or nothing and why I don't like doing that.
I was hoping to get everything above say 4.00 or 5.00 designated as Spam that I can filter locally with some rules in Eudora so that they go to my Junk folder, but are still accessible just in case. Then anything up above 10-12 to be auto deleted.
I'm going to play with the SA_QUARANTINE a bit today to see if it'll trigger. I'm bound and determined to figure this sucker out sooner or later.
Any further suggestions appreciated.
The only way I can apparently get SA to automatically delete messages is to set it to do that in the Plesk cp for that email address. And then it goes off of the hit setting there, not the SA_DELETE in the qmail-scanner.ini file. Which is sort of all or nothing and why I don't like doing that.
I was hoping to get everything above say 4.00 or 5.00 designated as Spam that I can filter locally with some rules in Eudora so that they go to my Junk folder, but are still accessible just in case. Then anything up above 10-12 to be auto deleted.
I'm going to play with the SA_QUARANTINE a bit today to see if it'll trigger. I'm bound and determined to figure this sucker out sooner or later.
Any further suggestions appreciated.
-
scott
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
ah wait, I think I know what the problem is here. I will bet you its because of the instance of the way psa runs spamassassin. Do this:
1) yum remove psa-spamassassin
2) killall -9 spamd
3) chmod +x /etc/init.d/spamassassin
4) /etc/init.d/spamassassin start
5) qmail-scanner-reconfigure
Now look again at the process, and make sure its running the with the right flags.
1) yum remove psa-spamassassin
2) killall -9 spamd
3) chmod +x /etc/init.d/spamassassin
4) /etc/init.d/spamassassin start
5) qmail-scanner-reconfigure
Now look again at the process, and make sure its running the with the right flags.
I think you hit on it Scott. There was some sort of conflict with Spamassassin and psa-spamassassin. I performed all of the above, adding in a step to upgrade spamassassin from 3.06 to 3.23 from your rpm packages while I was at it.
The only issue that raised was Pyzor checks failed, citing an internal error. I already tried rpm -e pyzor and installed it again, ran qmail-scanner-reconfigure again, but I'm still getting the following message in the maillog:
Any ideas on correcting that one?
I'm am however now seeing the SA:SPAM-DELETED messages in the maillog, so it looks like it's working.
Last question...
Is there a significant reason not to have psa-spamassassin running too so that people can set their own spam level? Is there a performance level hit that would be part of the mix if the psa-spamassassin functionality to still be there? Would it break things again?
And let me throw in another one just in case. Since this is a RHEL4 system I'm using up2date instead of yum. Is there a way to tell up2date to only get "psa-" packages from your repo? It's not that I don't trust other rhn sources for psa stuff, it's just that I don't trust 'em.
When I tried up2date --install psa-spamassassin just to see I got the following:
The only issue that raised was Pyzor checks failed, citing an internal error. I already tried rpm -e pyzor and installed it again, ran qmail-scanner-reconfigure again, but I'm still getting the following message in the maillog:
Code: Select all
Jan 2 08:50:13 serv spamd[23583]: pyzor: check failed: internal errorI'm am however now seeing the SA:SPAM-DELETED messages in the maillog, so it looks like it's working.
Last question...
Is there a significant reason not to have psa-spamassassin running too so that people can set their own spam level? Is there a performance level hit that would be part of the mix if the psa-spamassassin functionality to still be there? Would it break things again?
And let me throw in another one just in case. Since this is a RHEL4 system I'm using up2date instead of yum. Is there a way to tell up2date to only get "psa-" packages from your repo? It's not that I don't trust other rhn sources for psa stuff, it's just that I don't trust 'em.
When I tried up2date --install psa-spamassassin just to see I got the following:
Code: Select all
The package psa-spamassassin-8.3.0-rhel4.build83071218.18 is not signed with a GPG signature. Aborting...
Package psa-spamassassin-8.3.0-rhel4.build83071218.18 does not have a GPG signature.-
breun
- Long Time Forum Regular
- Posts: 2813
- Joined: Sat Aug 20, 2005 9:30 am
- Location: The Netherlands
SWsoft's packages are not signed. I don't know about up2date, but you can set yum not to check GPG signatures for specific repositories (gpgcheck=0).
Lemonbit Internet Dedicated Server Management