general spamassassin qmail scanner question

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

general spamassassin qmail scanner question

Unread post by BruceLee »

Hi,
I'm a little bit confused what exactly

Code: Select all

"Yum install spamassassin clamd razor pyzor dcc qmail-scanner" 
covers and what not.

It seems to me that I have to configure almost everything on my own in local.cf and qmailscanner.ini.
pyzor dcc razor is installed but it doesnt look to me that its configured.
For example: Which setting is the right one:

Code: Select all

SA_SUBJECT="****SPAM****"      
in qmailscanner.ini
or

Code: Select all

rewrite_header Subject [SPAM]
in local.cf

What is covered besides installation of packages and the qmail-scanner-reconfigure?
Does everything from

Code: Select all

spamassassin clamd razor pyzor dcc qmail-scanner
startup/update/cron allready or do I have to do that also manually?

Does the setting

Code: Select all

SETTINGS_PER_DOMAIN="yes"  
in qmailscanner.ini mean
that I have to create manually all the "pretty" files from spamassassin all the time something changes in the domains under var/qmail/mailnames via user_prefs?

etc.etc.etc.

I'm missing a short "How to" or "What do these packages provide" after

Code: Select all

"Yum install spamassassin clamd razor pyzor dcc qmail-scanner" 
Thanks a lot.
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: general spamassassin qmail scanner question

Unread post by BruceLee »

ok, I did some configuration but I can't get it going correctly.
I would appreciate any help.

I left the qmail-scanner.ini untouched:

Code: Select all

# qmail-scanner settings
QMAILSCANNERHOME="/usr/share/qmail-scanner"
SPOOLDIR="/var/spool/qscan"
SPAMDIR="/var/spool/qscan/quarantine/spam"

QS_USER="qscand"                        # default is qscand
QS_GROUP="qscand"                       # default is qscand
NOTIFY="none"                           # [none|sender|recips|precips|admin|nmladm|nmlvadm|all] (defaults to "psender,nmlvadm")
ARCHIVE="no"                            # [yes|no|regex]
FIX_MIME="2"                            # [yes|no|num], try "1" if blocks occurring due to this setting
IGNORE_EOL_CHECK="no"                   # [yes|no]
ADD_DESC_HEADERS="no"                   # [yes|no|all], old-fashion X-Qmail-Scanner, "all" adds rcpt to headers
DEBUG="no"                              # [yes|no]
MINIDEBUG="1"                           # [yes|no|1|2]
SETTINGS_PER_DOMAIN="yes"               # [yes|no]

# ClamAV settings
CLAMD_USER="qscand"                     # default is clamav

# Spamassassin settings
SA_SETTINGS="-d -c -m5 -H"              # Default settings for spamd
SA_SQL="no"                             # [yes|no], runs spamassassin with the 'rcpt to' as option. Only use if mysql is enabled in SA
SA_DELTA="1"                            # [num]
SA_SUBJECT="****SPAM****"               # <"some text">
SA_QUARANTINE="0"                       # [num], required_hits + sa_quarantine  will go to SPAMDIR, 0 disables
SA_DELETE="0"                           # [num], required_hits + sa_delete will be deleted, 0 disables
SA_REJECT="no"                          # [yes|no], changes deletes to rejects
SA_ALT="no"                             # [yes|no], runs in *fast_spamassassin* mode and doesn't pass the '-u' optio
SA_DEBUG="no"                           # [yes|no], requires sa-alt: yes
SA_REPORT="no"                          # [yes|no], requires sa-alt: yes, sa-debug: yes
SA_FORWARD=""                           # <username@domain>, User to redirect quarantined spam mails, unmodified for sa-learn (not used)
SA_VERBOSE="no"                         # [yes|no], requires SA-FORWARD (not used)
my local.cf looks like this:

Code: Select all

report_safe             0
use_bayes               1
bayes_auto_learn        1
skip_rbl_checks         1
use_razor2              1
use_pyzor               1
ok_locales              all
add_header all Status score=_SCORE_
rewrite_header subject ***SPAM(Punkte:_SCORE_)***
bayes_auto_learn_threshold_nonspam 1
bayes_auto_learn_threshold_spam 8
razor_timeout 5
pyzor_timeout 5
required_hits 4
bayes_auto_learn_threshold_nonspam 1
bayes_path /var/qmail/.spamassassin/bayes
razor_config /etc/razor/razor-agent.conf 
pyzor_path /usr/bin/pyzor
- "spamassasson --lint" >> no errors
- "/usr/share/qmail-scanner/qmail-scanner-reconfigure.psa" went through
-restarted daemon
- i can recieve and send emails
but it doesn't look like spam get catched or autolearned or scored
header is showing this:

Code: Select all

    *  (qmail 23130 invoked by uid 10005); 20 Feb 2010 19:16:52 +0100
    * from sending-server by receiving-server (envelope-from <from-address>, uid 2020) with qmail-scanner-2.08st (clamdscan: 0.95.3/10417. spamassassin: 3.2.5. perlscan: 2.08st. Clear:RC:0(87.106.191.38):SA:0(0.0/4.0):. Processed in 0.366003 secs); 20 Feb 2010 18:16:52 -0000
    * from sending-server (IP) by receiving-server with (DHE-RSA-AES256-SHA encrypted) SMTP; 20 Feb 2010 19:16:52 +0100
    * (qmail 5574 invoked from network); 20 Feb 2010 19:16:51 +0100
    * from dslb-xxx-pools.arcor-ip.net (HELO black) (client-IP) by sending-server with SMTP; 20 Feb 2010 19:16:51 +0100

	* X-Spam-Status:  	No, hits=0.0 required=4.0
or

Code: Select all

* X-Spam-Status:  	Yes, hits=11.1 required=4.0
so its doing something.
but the bayes file is not created.
and what can i do to filter them out?
i'm still confused about the qmail-scanner.ini and the spamassassoin configuration?
do i have to put anyhting in there?
is pyzor used?
is dcc used?
is razor used?




THANKS A LOT FOR ANY HELP
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: general spamassassin qmail scanner question

Unread post by faris »

I think the thing you need to know is that qmail-scanner uses spamassassin to score a message, and depending on the score will then drop or reject (or quarantine) the email. qmail-scanner will also drop or reject emails infected by a virus, as detected by clamav.

your local.cf is only for spamassassin, and tells it when to consider a message as spam or not (required_hits=). If the message scores greater than or equal to required_hits, spamassassin will add the spam tag (not sure if qmail-scanner overrides that tag or not) to the subject.

qmail-scanner.ini is where you decide what to do with the spam.

The two important lines are

Code: Select all

SA_DELETE="0"                           # [num], required_hits + sa_delete will be deleted, 0 disables
SA_REJECT="no"                          # [yes|no], changes deletes to rejects
If you set SA_REJECT="yes" then qmail-scanner will reject, at the MTA level, any message that is definitely spam (sending server gets error message, which will cause the sending server to generate a bounce back to the sender). If set to "no" it will just silently drop the message.

SA_DELETE= allows you to decide the score that a message must ...errr.score, in order to be treated as definitely spam and deleted or rejected. Note that this happens at required_hits PLUS sa_delete.

So, message that score less than local.cf's required_hits will be unmolested.
Messages that score more than required_hits but less than required_hits added to sa_delete will have their subject lines changed.
Messages that score required_hits added to sa_delete or greater will be rejected or deleted.

e.g. if required_hits=4, sa_delete=4, a message scoring between 4 and 7.9 will have the subject changed, while a message scoring 8 or more will be deleted or rejected.

I can't help with the bayes stuff -- other than to say that it needs something to lear from! Lots of email to start with, with autolearn on, will be a good start. You can also feed spam manually to sa with sa-learn.

It is late here, so the usual rule applies: never assume I know what I'm talking about, especially when I'm typing late at night (or early in the morning in this case).


Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: general spamassassin qmail scanner question

Unread post by BruceLee »

hi faris,

thank you very much. That helped a lot.

I'm unhappy with the fact the qmail-scanner. ini settings for SA_X are totally undocumentated.
I can't find anything anywhere.

-What about the logfile?
-Do I need to use SA_SETTINGS="-d -c -m5 -H -s /var/log/spamd.log"?
-Or where do I find those logged data?
-SETTINGS_PER_DOMAIN="yes" in fine, but HOW?
.user_prefs of course, but what about sa_quarantine and sa_delete or other qmail-scanner.ini settings?
without documention it's a "try and error"-horror.

Also setting default local.cf settings in some cases is not working in this combination.
For example the add_header setting is not working as in default spamassassin 3.2.X
I have set:
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_

But at the end it shows just: add_header all Status _YESNO_, score=_SCORE_ required=_REQD_
These are missing: tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
version is found in the qmail-scanner-queue-version.
Which standard settings of spamassassin break/dont work in "atomic-qmail-scanner-spamassassin-combination"?

Does it use dcc,razor and pyzor? Nothing in the mailheader since tests=_TESTS_ is missing and nothing in qmail-queue.log.

I would like to achieve the following result.
Per domain spamassassin settings (if none > use global settings) with a domain based quarantine/spam folder,
autolearn and a way to know how to see which tests run through.

Thanks a lot. I'm sorry to bother you but since there is no documenation I really don't know where to start.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: general spamassassin qmail scanner question

Unread post by faris »

I'm with you 100% on lack of docs and examples. When you compare this stuff to, say, spamdyke, which has docs, docs and more docs, please the most helpful mailing list known to man, it gets depressing.

So experimentation, and googling, and asking on forums like this is the name of the game here.

I'm afraid I have not looked into settings per domain. I did look into the addheader stuff years ago, and found it did not work with qmail-scanner as-is. There's a post about this from me either here or on the Parallels forums. But I think it is here. I remember that someone, probably scott, mentioned something about it being possible but you need to change this that or the other.

I would not worry about that right now.

What you want to do is look at /usr/local/psa/var/log/maillog and /var/spool/qscan/qmail-queue.log

Send some messages and see what happens. Use the gtube test string in some. Use the eicar virus test string on others.

dcc, pyzor and razor almost work all by themselves. There may be a firewall issue with dcc but that's about it.

I recommend that you do a google search for "spamassassin pyror dcc razor howto" (don't worry about qmail-scanner -- that's just icing on the cake and adding it to the equation will just complicate things) and have a read (that's what I did). You will then get a flavour of how they work a lot better, and some of the howtos give examples of how to test individual components (dcc in particular). Some of them have man pages too. I'm not saying you should follow the howtos - but they really help explain what does what and how. There's one in particular that talks about server-wite and individual account settings.

Using "spamassassin -D < testmesssage.eml" is very useful, where testmessage.eml is an actual real email including headers. Ideally have one that's spam, and another one that's non-spam.

One thing to keep in mind -- when you do the spamassassin test as root, you are running spamassassin as root, and therefore spamassassin will have access to almost anything. If, in reality, spamassassin does not run as root (e.g. it runs as popuser), then you might want to repeat the test with sa running as popuser in case there are permission problems.

Now popuser (or whatever user it might be) may not (should not!) have shell permissions so su - popuser will not work.

I think it was Breun who gave me the magic formula for getting around this:

su -s /bin/bash - userthatnormallydoesnothaveashell

But all this is probably not needed - I'm sorry but I don't recall which user sa runs as in an ART/qmail-scanner setup and quite frankly it probably doesn't matter and on this occasion just run it as root.

Now......

You need to carefully look for errors regarding dcc, pyror and razor in the debug output generated by spamassassin -D < testmessage.eml (or spamassassin --lint as you suggest, which is also a good idea)

Another thing to look out for in to see if DCC, pyzor or razor are listed in the maillog for incoming messages, where you WILL see the rule names for each rule that triggers on a particular message.

You won't see dcc pyzor or razor all that often necessarily, unless you have a handy domain that receives millions of spams that you can test with (we do -- it is wonderful. You can create one with a throw-away domain if want - register the domain, sign up for lots of crappy mailing lists and pr0n sites, post the address in various discussion groups and forums and what have you and then watch the spam flow in. Oh, you can also redirect email to non-existant accounts on other domains to your "spamtrap" domain too.

Anyway...I'm brain dumping here. I'm sorry if this is all a bit disjointed and rambling and not even necessarily relevent or even factually accurate, but I hope a few snippets help in some way.

Here's a random example from maillog

Code: Select all

 spamd: result: Y 9 - BAYES_60,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_BRBL,SPF_HELO_PASS,URIBL_BLACK,URIBL_JP_SURBL scantime=4.4,size=1456,user=popuser,uid=110,requ|
Su|ired_score=4.0,rhost=localhost,raddr=127.0.0.1,rport=/tmp/spamd_full.sock,mid=<20100221094255@[redacted]>,bayes=0.689698,autolearn=spam  
Do not panic, incidentally, if you see autolearn=unavailable or =no. This is normal behaviour. Have a serach on this forum for autolearn and you'll find a post by me about this (I think).

Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: general spamassassin qmail scanner question

Unread post by biggles »

One suggestion:

If you set
SA_ALT="yes" # [yes|no], runs in *fast_spamassassin* mode and doesn't pass the '-u' optio
SA_DEBUG="yes" # [yes|no], requires sa-alt: yes
SA_REPORT="yes" # [yes|no], requires sa-alt: yes, sa-debug: yes

you will get the actual tests in the mail header. Great for debugging!

Thanks a lot for your ramblings, faris. Gave me a few ideas to try out!
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: general spamassassin qmail scanner question

Unread post by breun »

There's also the qmail-scanner website which has some info: http://qmail-scanner.sourceforge.net/

/usr/share/qmail-scanner/settings_per_domain.txt explains the settings per domain feature.
Lemonbit Internet Dedicated Server Management
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: general spamassassin qmail scanner question

Unread post by BruceLee »

thanks a lot for your help faris, breun & biggles,

i'm working on this with some progress thanks to you.
the db needs to be trained with sa-learn
you also need to enable /uncomment the dcc option in v310.pre and allow UDP 6277 incoming. Otherwise dcc is not working.
with the logfile it's like breun wrote. all is in the maillog. the extra code in qmail-scanner.ini is not necessary.

So right now my files look like this:

Code: Select all

# Spamassassin settings qmail-scanner.ini
SA_SETTINGS="-d -c -m5 -H"              # Default settings for spamd
SA_SQL="no"                             # [yes|no], runs spamassassin with the 'rcpt to' as option. Only use if mysql is enabled in SA
SA_DELTA="1"                            # [num]
SA_SUBJECT="***SPAM***"		     # <"some text">
SA_QUARANTINE="2"                       # [num], required_hits + sa_quarantine  will go to SPAMDIR, 0 disables
SA_DELETE="3"                           # [num], required_hits + sa_delete will be deleted, 0 disables
SA_REJECT="no"                          # [yes|no], changes deletes to rejects
SA_ALT="no"                             # [yes|no], runs in *fast_spamassassin* mode and doesn't pass the '-u' optio
SA_DEBUG="no"                           # [yes|no], requires sa-alt: yes
SA_REPORT="no"                          # [yes|no], requires sa-alt: yes, sa-debug: yes
SA_FORWARD=""                           # <username@domain>, User to redirect quarantined spam mails, unmodified for sa-learn (not used)
SA_VERBOSE="no"                         # [yes|no], requires SA-FORWARD (not used)

Code: Select all

report_safe 0
use_bayes 1
bayes_auto_learn 1
skip_rbl_checks 1
required_hits 4
ok_locales all
add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
rewrite_header subject ***SPAM***
bayes_auto_learn_threshold_nonspam 1
bayes_auto_learn_threshold_spam 8
bayes_auto_learn_threshold_nonspam 1
bayes_path /var/qmail/.spamassassin/bayes
bayes_min_ham_num 200
bayes_min_spam_num 200
use_dcc 1
dcc_path /usr/bin/dccproc
dcc_timeout 5
use_razor2 1
razor_timeout 5
razor_config /etc/razor/razor-agent.conf 
use_pyzor 1
pyzor_path /usr/bin/pyzor
pyzor_timeout 5
spamassassin --lint always works in local test mode so it's not the prefered test method (like I have learned now).
like breun wrote "spamassassin -D < testmesssage.eml" ist the right method.

With this settings it's working. spamassassin is checking dcc, pyzor and razor2 and the other default checks.
the header gets written a little bit different, but to make sure you can set it like biggles wrote:
SA_ALT="yes" # [yes|no], runs in *fast_spamassassin* mode and doesn't pass the '-u' optio
SA_DEBUG="yes" # [yes|no], requires sa-alt: yes
SA_REPORT="yes" # [yes|no], requires sa-alt: yes, sa-debug: yes
Thanks to breun I had a look into /usr/share/qmail-scanner/settings_per_domain.txt
It's looks very easy to implement. We will see within the next days.
I will get back and report.
Thanks again.
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: general spamassassin qmail scanner question

Unread post by breun »

I don't recommend using SA_ALT/SA_DEBUG in production unless you really need those headers in your messages, because performance is better when not using SA_ALT.

AFAIK you don't need to modify any files for dcc to work. v310.pre sounds like it's for SpamAssassin 3.1, the current version from Atomic is 3.2.5.

If you want to train SpamAssassin you can use sa-learn, but SpamAssassin also starts autolearning after a couple of hundred (200?) messages. We find that SpamAssassin works fine, even without manual training.
Lemonbit Internet Dedicated Server Management
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: general spamassassin qmail scanner question

Unread post by BruceLee »

you are right, setting those options is just for checking/debugging.
it works per default after 200 learned mails.
It's a fresh installation with spamassassin 3.2.5 from atomic.
If so, changing of v310.pre might not be necessary, but it works too.
I will sa-learn some mails manually and let spamassassin do the job afterwards.
And i want to add some cf files. For exmaple the 70_zmi_german.cf
and let it update. We will see how it goes.
BruceLee
Forum Regular
Forum Regular
Posts: 879
Joined: Sat Mar 28, 2009 6:58 pm
Location: Germany

Re: general spamassassin qmail scanner question

Unread post by BruceLee »

coming back with the latest updates to my task.
actually it is really simple to create per domain or user based settings.
like breun (thanks for giving the hint where to look :)) wrote everything is written and explained in
/usr/share/qmail-scanner/settings_per_domain.txt
I'm just making a quick summary:

all you need to do is add the settings you want and put them in
/var/spool/qscan/settings_per_domain.txt
You can omit the options that you want qmail-scanner gets from the qmail-scanner.ini, but you always have to specify the scanners for the user/domain.(marked red)
domain.com:clamdscan,sa,ps'''''''''spamdir_domain

you can even change the dir to another place instead of /var/spool/qscan/quarantine with adding the full path upwards
domain.com:clamdscan,sa,ps'''''''''/../../../../tmp/spamdir_domain

after that generate the db:
/var/qmail/bin/qmail-scanner-queue.pl -p

check with:
/var/qmail/bin/qmail-scanner-queue.pl -d

and that's it.

Thanks to all of you. Now I can set every customers wishes.
lfenison
Forum User
Forum User
Posts: 29
Joined: Mon Jun 14, 2010 8:39 pm

Re: general spamassassin qmail scanner question

Unread post by lfenison »

Does anyone know the best way to uninstall qmail-scanner without messing up qmail and spamassassin?

I installed it thinking I was only going to be adding clamav scanning ability to SA but it does so much more that I don't want and is upsetting all my customers.

They are getting their subject lines modified, and in some cases even messages deleted.

I tried all configuration options but there just doesn't seem to be a way to tell qmail-scanner to leave the message alone unless there is a virus or malware.

Documentation would have been nice but there doesn't seem to be any.
coolemail
Forum Regular
Forum Regular
Posts: 369
Joined: Tue Dec 16, 2008 8:01 am
Location: United Kingdom

Re: general spamassassin qmail scanner question

Unread post by coolemail »

breun wrote:I don't recommend using SA_ALT/SA_DEBUG in production unless you really need those headers in your messages, because performance is better when not using SA_ALT.

AFAIK you don't need to modify any files for dcc to work. v310.pre sounds like it's for SpamAssassin 3.1, the current version from Atomic is 3.2.5.

If you want to train SpamAssassin you can use sa-learn, but SpamAssassin also starts autolearning after a couple of hundred (200?) messages. We find that SpamAssassin works fine, even without manual training.
1. If we are getting false positives (genuine emails which are identified as Spam), then can we whitelist email addresses or whole domains, or train SpamAssassin at all? In the Plesk version, that is all on the GUI but we have the qmail-scanner version of it.

2. Linked to this, is there a way we can train Spamassassin so that it learns that emails identified as Spam ARE Spam? In short, telling it that a particular email is or is not Spam. Perhaps we can blacklist using either information in headers or some other way?

3. If someone sends us an email which is tagged as Spam, are we able to go back to them and tell then WHY that email was tagged by us so that they can sort out their systems?

4. If an email is not delivered, I think I'm right that it is not quarantined anywhere but is totally deleted from the server? And maillog would be the only way we would know it had been deleted? So what would be the best action to take before getting the sender to re-send?

For example, I have had a number of emails from one particular sender to lots of people that i would like to stop:
[plesk2.domain1.co.uk ~]# grep gmx.com /usr/local/psa/var/log/maillog
Jun 28 06:37:42 plesk2 qmail-queue-handlers[8805]: from=melissawilliams1@gmx.com
Jun 28 06:37:42 plesk2 qmail: 1277703462.393546 info msg 14813930: bytes 3333 from <melissawilliams1@gmx.com> qp 8806 uid 10113
Jun 28 06:37:42 plesk2 qmail-scanner[8793]: Clear:RC:0(200.43.175.99):SA:1(5.0/3.0): 0.91453 2851 melissawilliams1@gmx.com kuhle@domain1.com From_Melissa_Williams <20100627075600.772AC10AC2F3@server1.estranetsrl.com.ar> 1277703461.8795-0.plesk2.domain1.co.uk:2014 orig-plesk2.domain1.co.uk12777034617908793:2851
Jun 28 06:37:42 plesk2 qmail-local-handlers[8808]: from=melissawilliams1@gmx.com
Jun 28 08:02:58 plesk2 qmail-queue-handlers[22434]: from=melissawilliams1@gmx.com
Jun 28 08:02:58 plesk2 qmail: 1277708578.205613 info msg 14814978: bytes 3334 from <melissawilliams1@gmx.com> qp 22435 uid 10113
Jun 28 08:02:58 plesk2 qmail-scanner[22423]: Clear:RC:0(200.43.175.99):SA:1(5.0/3.0): 2.134992 2851 melissawilliams1@gmx.com jeff@hosted-domain2.com From_Melissa_Williams <20100627075404.D06141095386@server1.estranetsrl.com.ar> 1277708576.22425-0.plesk2.domain1.co.uk:2014 orig-plesk2.domain1.co.uk127770857579022423:2851
Jun 28 08:02:58 plesk2 qmail-local-handlers[22437]: from=melissawilliams1@gmx.com
Jun 28 08:11:02 plesk2 qmail-queue-handlers[23462]: from=melissawilliams1@gmx.com
Jun 28 08:11:02 plesk2 qmail: 1277709062.073405 info msg 14814983: bytes 3333 from <melissawilliams1@gmx.com> qp 23463 uid 10113
Jun 28 08:11:02 plesk2 qmail-scanner[23451]: Clear:RC:0(200.43.175.99):SA:1(5.0/3.0): 1.002715 2851 melissawilliams1@gmx.com leodumpmen@hosted-domain2.com From_Melissa_Williams <20100627075630.2EF0F10B10DC@server1.estranetsrl.com.ar> orig-plesk2.domain1.co.uk127770906079023451:2851 1277709061.23453-0.plesk2.domain1.co.uk:2014
Jun 28 08:11:02 plesk2 qmail-local-handlers[23465]: from=melissawilliams1@gmx.com
Jun 28 08:18:26 plesk2 qmail-queue-handlers[24446]: from=melissawilliams1@gmx.com
Jun 28 08:18:26 plesk2 qmail: 1277709506.772305 info msg 14813971: bytes 3331 from <melissawilliams1@gmx.com> qp 24447 uid 10113
Jun 28 08:18:26 plesk2 qmail-scanner[24435]: Clear:RC:0(200.43.175.99):SA:1(5.0/3.0): 0.703352 2849 melissawilliams1@gmx.com michael.rosenberg@hosted-domain2.com From_Melissa_Williams <20100627075835.DBA95D9FE8E@server1.estranetsrl.com.ar> 1277709506.24437-0.plesk2.domain1.co.uk:2014 orig-plesk2.domain1.co.uk127770950579024435:2849
Jun 28 08:18:26 plesk2 qmail-local-handlers[24449]: from=melissawilliams1@gmx.com
Jun 28 08:27:22 plesk2 qmail-queue-handlers[25711]: from=melissawilliams1@gmx.com
Jun 28 08:27:22 plesk2 qmail: 1277710042.706964 info msg 14813971: bytes 3334 from <melissawilliams1@gmx.com> qp 25712 uid 10113
Jun 28 08:27:22 plesk2 qmail-scanner[25701]: Clear:RC:0(200.43.175.99):SA:1(5.0/3.0): 0.655461 2851 melissawilliams1@gmx.com susanne@hosted-domain2.com From_Melissa_Williams <20100627080501.23B791103202@server1.estranetsrl.com.ar> orig-plesk2.domain1.co.uk127771004179025701:2851 1277710041.25703-0.plesk2.domain1.co.uk:2014
Jun 28 08:27:22 plesk2 qmail-local-handlers[25713]: from=melissawilliams1@gmx.com
Jun 28 08:57:57 plesk2 qmail-queue-handlers[30821]: from=melissawilliams1@gmx.com
Jun 28 08:57:57 plesk2 qmail: 1277711877.639309 info msg 14814993: bytes 3333 from <melissawilliams1@gmx.com> qp 30822 uid 10113
Jun 28 08:57:57 plesk2 qmail-scanner[30809]: Clear:RC:0(200.43.175.99):SA:1(5.0/3.0): 0.740905 2851 melissawilliams1@gmx.com robertjones@hosted-domain2.com From_Melissa_Williams <20100627080216.BE69E10F51BE@server1.estranetsrl.com.ar> 1277711876.30811-0.plesk2.domain1.co.uk:2014 orig-plesk2.domain1.co.uk127771187679030809:2851
Jun 28 08:57:57 plesk2 qmail-local-handlers[30824]: from=melissawilliams1@gmx.com
Jun 28 09:03:00 plesk2 qmail-queue-handlers[552]: from=melissawilliams1@gmx.com
Jun 28 09:03:00 plesk2 qmail: 1277712180.562779 info msg 14814951: bytes 3332 from <melissawilliams1@gmx.com> qp 553 uid 10113
Jun 28 09:03:00 plesk2 qmail-scanner[542]: Clear:RC:0(200.43.175.99):SA:1(5.0/3.0): 0.701949 2851 melissawilliams1@gmx.com richardhenleydavis@hosted-domain2.com From_Melissa_Williams <20100627080204.211461083355@server1.estranetsrl.com.ar> orig-plesk2.domain1.co.uk1277712179790542:2851 1277712179.544-0.plesk2.domain1.co.uk:2014
Jun 28 09:03:00 plesk2 qmail-local-handlers[555]: from=melissawilliams1@gmx.com
Jun 28 09:03:06 plesk2 qmail-queue-handlers[564]: from=melissawilliams1@gmx.com
Jun 28 09:03:06 plesk2 qmail: 1277712186.441426 info msg 14814951: bytes 3333 from <melissawilliams1@gmx.com> qp 565 uid 10113
Jun 28 09:03:06 plesk2 qmail-local-handlers[567]: from=melissawilliams1@gmx.com
Jun 28 09:03:06 plesk2 qmail-scanner[522]: Clear:RC:0(200.43.175.99):SA:1(5.0/3.0): 12.79412 2851 melissawilliams1@gmx.com richard.boyd@hosted-domain2.com From_Melissa_Williams <20100627080204.211461083355@server1.estranetsrl.com.ar> 1277712173.525-0.plesk2.domain1.co.uk:2014 orig-plesk2.domain1.co.uk1277712173790522:2851
Jun 28 09:51:57 plesk2 qmail-queue-handlers[9245]: from=melissawilliams1@gmx.com
Jun 28 09:51:57 plesk2 qmail: 1277715117.772653 info msg 14814984: bytes 3333 from <melissawilliams1@gmx.com> qp 9246 uid 10113
Jun 28 09:51:57 plesk2 qmail-scanner[9233]: Clear:RC:0(200.43.175.99):SA:1(5.0/3.0): 0.817626 2851 melissawilliams1@gmx.com dominic.dean@hosted-domain2.com From_Melissa_Williams <20100627074800.7B77B10525B0@server1.estranetsrl.com.ar> 1277715116.9235-0.plesk2.domain1.co.uk:2014 orig-plesk2.domain1.co.uk12777151167909233:2851
Jun 28 09:51:57 plesk2 qmail-local-handlers[9248]: from=melissawilliams1@gmx.com
Jun 28 09:58:10 plesk2 qmail-queue-handlers[10284]: from=melissawilliams1@gmx.com
Jun 28 09:58:10 plesk2 qmail: 1277715490.077838 info msg 14814951: bytes 3334 from <melissawilliams1@gmx.com> qp 10285 uid 10113
Jun 28 09:58:10 plesk2 qmail-scanner[10274]: Clear:RC:0(200.43.175.99):SA:1(5.0/3.0): 0.751416 2851 melissawilliams1@gmx.com support@domain1.com From_Melissa_Williams <20100627080444.D78351102937@server1.estranetsrl.com.ar> orig-plesk2.domain1.co.uk127771548979010274:2851 1277715489.10276-0.plesk2.domain1.co.uk:2014
Jun 28 09:58:10 plesk2 qmail-local-handlers[10287]: from=melissawilliams1@gmx.com
Jun 28 10:45:47 plesk2 qmail-queue-handlers[19590]: from=melissawilliams1@gmx.com
Jun 28 10:45:47 plesk2 qmail-scanner[19580]: Clear:RC:0(200.43.175.99):SA:1(5.0/3.0): 0.974565 2851 melissawilliams1@gmx.com info@domain1.com From_Melissa_Williams <20100627075210.112C2107A4D2@server1.estranetsrl.com.ar> orig-plesk2.domain1.co.uk127771834679019580:2851 1277718346.19582-0.plesk2.domain1.co.uk:2014
Jun 28 10:45:47 plesk2 qmail: 1277718347.595701 info msg 14815003: bytes 3333 from <melissawilliams1@gmx.com> qp 19591 uid 10113
Jun 28 10:45:47 plesk2 qmail-local-handlers[19593]: from=melissawilliams1@gmx.com
[plesk2.domain1.co.uk ~]#
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: general spamassassin qmail scanner question

Unread post by breun »

coolemail wrote:1. If we are getting false positives (genuine emails which are identified as Spam), then can we whitelist email addresses or whole domains, or train SpamAssassin at all? In the Plesk version, that is all on the GUI but we have the qmail-scanner version of it.
The SpamAssassin wiki has info on this:

Manual whitelisting: http://wiki.apache.org/spamassassin/ManualWhitelist

For training you can run sa-learn on a mailbox: http://wiki.apache.org/spamassassin/sa-learn
2. Linked to this, is there a way we can train Spamassassin so that it learns that emails identified as Spam ARE Spam? In short, telling it that a particular email is or is not Spam. Perhaps we can blacklist using either information in headers or some other way?
You can use sa-learn for both ham and spam. Just use the --ham and --spam flags accordingly.
3. If someone sends us an email which is tagged as Spam, are we able to go back to them and tell then WHY that email was tagged by us so that they can sort out their systems?
You can use SA_ALT/SA_DEBUG to put that info in the mail headers, but that isn't too good for performance (which might not be a problem for you). Otherwise you'll need to look the message up in the maillog.
4. If an email is not delivered, I think I'm right that it is not quarantined anywhere but is totally deleted from the server? And maillog would be the only way we would know it had been deleted? So what would be the best action to take before getting the sender to re-send?
If e-mail is quarantined or deleted depends on SA_QUARANTINE and SA_DELETE settings in /etc/qmail-scanner.ini. Please configure to your liking (and don't forget to run qmail-scanner-reconfigure after modifying /etc/qmail-scanner.ini).
For example, I have had a number of emails from one particular sender to lots of people that i would like to stop: [snip]
You can blacklist that address in your SpamAssassin configuration using blacklist_from: http://wiki.apache.org/spamassassin/ManualWhitelist
Lemonbit Internet Dedicated Server Management
coolemail
Forum Regular
Forum Regular
Posts: 369
Joined: Tue Dec 16, 2008 8:01 am
Location: United Kingdom

Re: general spamassassin qmail scanner question

Unread post by coolemail »

I have a lot of outgoing emails (and all my customers are checked by us!!) that are being tagged as Spam. Is there a way that I can easily disable the SpamAssassin on all outgoing mail?

For example, the following are very harmless, yet being tagged. I think that the first thing is to stop all outgoing messages being checked and hope that my own hosted emails are not compromised and then used to send Spam.

i'm worried that if I whitelist a whole domain, it might mean that emails which pretend they are coming from our own domain but are not going through our mail server will be allowed through??
Jun 29 17:33:46 plesk2 qmail-scanner[3288]: Clear:RC:0(41.206.41.100):SA:1(4.6/3.0): 0.701246 5689 cokado@hosted-domain1.com graham.dean@remote-domain1.com RE:_EXPIRED_CONSTRUCTION_CHEMICALS <000101cb17a8$d245de90$76d19bb0$@com> orig-plesk2.mydomain.co.uk12778292247903288:5689 1277829225.3290-0.plesk2.mydomain.co.uk:4728

Jun 29 13:15:23 plesk2 qmail-scanner[23511]: Clear:RC:0(86.169.238.65):SA:1(4.2/3.0): 18.81925 8114 sophiathomas@hosted-domain2.com frances.roper@remote-domain2.com Re:_summer <CCC8E7BC-F767-4027-9B7A-F2D2FCE72D12@hosted-domain2.com> 1277813705.23513-0.plesk2.mydomain.co.uk:6870 orig-plesk2.mydomain.co.uk127781370479023511:8114
Last edited by coolemail on Tue Jun 29, 2010 12:51 pm, edited 1 time in total.
Post Reply