Mailing List Archive: exim: users

SpamAssassin

Index | Next | Previous | View Threaded

sys044 at abdn

May 21, 2002, 4:11 AM

Post #1 of 13 (2120 views)
Permalink

SpamAssassin

We are still using Exim 3

[root [at] mailtes exim]# /opt/exim/bin/exim -bt -d 9
BExim version 3.33 debug level 9 uid=0 gid=0
Berkeley DB: Sleepycat Software: Berkeley DB 3.1.17: (July 31, 2000)

with SpamAssassin configured as below using spamd as a daemon.

I am very pleased with it in general. The problem is when the spamd dies,
messages are bounced immediately with SMTP errors.

Is there a way to check if spamd is running and if not hold the messages
until a "patrol" restarts it?

John Linn

spamcheck:
driver = pipe

command = /opt/exim/bin/exim -oMr spam-scanned -bS
transport_filter = /usr/bin/spamc

bsmtp = all

home_directory = "/var/spool/exim/spamassassin/tmp"
current_directory = "/var/spool/exim/spamassassin/tmp"

# must use a privileged user to set $received_protocol on way back in!
user = mailnull
group = com

return_path_add = false

log_output = true
return_fail_output = true

prefix =
suffix =

jan.johansson at viking-telecom

May 21, 2002, 4:15 AM

Post #2 of 13 (2040 views)
Permalink

RE: SpamAssassin [In reply to]

> Is there a way to check if spamd is running and if not hold
> the messages
> until a "patrol" restarts it?

Why not use daemontools to make sure it is always running? Should it die, the default check interval of daemontools is 5 seconds.

dsh8290 at rit

May 21, 2002, 6:19 AM

Post #3 of 13 (2038 views)
Permalink

Re: SpamAssassin [In reply to]

--
On Tue, May 21, 2002 at 12:11:31PM +0100, j.linn wrote:
| We are still using Exim 3
|
| [root [at] mailtes exim]# /opt/exim/bin/exim -bt -d 9
| BExim version 3.33 debug level 9 uid=0 gid=0
| Berkeley DB: Sleepycat Software: Berkeley DB 3.1.17: (July 31, 2000)
|
| with SpamAssassin configured as below using spamd as a daemon.
|
| I am very pleased with it in general. The problem is when the spamd dies,
| messages are bounced immediately with SMTP errors.

One solution is to add '-f' to your spamc command line. Then it won't
fail when spamd dies and will simply pass the message along. The
advantage is you still get mail delivery, even though it isn't
scanned. Better yet, just upgrade spamassassin -- that option is the
default now.

| Is there a way to check if spamd is running and if not hold the messages
| until a "patrol" restarts it?

You can write a program to
1) check for spamd
2) start it if it doesn't exist
3) exec spamc

and use that as your filter instead of using spamc directly.

-D

--

Pleasant words are a honeycomb,
sweet to the soul and healing to the bones.
Proverbs 16:24

GnuPG key : http://dman.ddts.net/~dman/public_key.gpg

--
[ Content of type application/pgp-signature deleted ]
--

odhiambo at gmail

May 7, 2009, 12:19 AM

Post #4 of 13 (2012 views)
Permalink

Re: Spamassassin [In reply to]

On Thu, May 7, 2009 at 9:48 AM, Peter Kirk <peterki [at] korbitec> wrote:

> Hey
>
> Started new thread :-)
>
> Spamassassin is not using greylisting database,

It never uses and will never use.

> I noticed that spamassassin is using all the cpu as when I stop it, the
> server returns
> to normal.

Are you passing ALL mail through spamassassin, even 1MB ...20MB?
I never pass any mail larger than 256K through spamassassin.

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
"Clothes make the man. Naked people have little or no influence on
society."
-- Mark Twain
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

peterki at korbitec

May 7, 2009, 12:28 AM

Post #5 of 13 (2001 views)
Permalink

Re: Spamassassin [In reply to]

>Started new thread :-)
>
>Spamassassin is not using greylisting database,

>
>It never uses and will never use.
>

>I noticed that spamassassin is using all the cpu as when I stop
it, the server returns
>to normal.

>
>Are you passing ALL mail through spamassassin, even 1MB ...20MB?
>I never pass any mail larger than 256K through spamassassin.

>
>--
>Best regards,
>Odhiambo WASHINGTON,
>Nairobi,KE
>+254733744121/+254722743223
>_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
>"Clothes make the man. Naked people have little or no influence on
society."
> -- Mark Twain

I don't scan anything over 256K either and have turned off the auto
whitelist but still having the problem

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

odhiambo at gmail

May 7, 2009, 12:31 AM

Post #6 of 13 (2001 views)
Permalink

Re: Spamassassin [In reply to]

On Thu, May 7, 2009 at 10:28 AM, Peter Kirk <peterki [at] korbitec> wrote:

>
> >Started new thread :-)
> >
> >Spamassassin is not using greylisting database,
>
> >
> >It never uses and will never use.
> >
>
> >I noticed that spamassassin is using all the cpu as when I stop it, the
> server returns
> >to normal.
>
> >
> >Are you passing ALL mail through spamassassin, even 1MB ...20MB?
> >I never pass any mail larger than 256K through spamassassin.
>
> >
> >--
> >Best regards,
> >Odhiambo WASHINGTON,
> >Nairobi,KE
> >+254733744121/+254722743223
> >_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
> >"Clothes make the man. Naked people have little or no influence on
> society."
> > -- Mark Twain
>
>
>
> I don’t scan anything over 256K either and have turned off the auto
> whitelist but still having the problem
>
Can we please see your Exim config somewhere? I hope it's not Debian!!
May we also see your local.cf for SA?

You can put those on some web accessible server somewhere?

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
"Clothes make the man. Naked people have little or no influence on
society."
-- Mark Twain
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wbh at conducive

May 7, 2009, 12:45 AM

Post #7 of 13 (2000 views)
Permalink

Re: Spamassassin [In reply to]

Peter Kirk wrote:
>> Started new thread :-)
>>
>> Spamassassin is not using greylisting database,
>
>> It never uses and will never use.
>>
>
> >I noticed that spamassassin is using all the cpu as when I stop
> it, the server returns
> >to normal.
>
>> Are you passing ALL mail through spamassassin, even 1MB ...20MB?
>> I never pass any mail larger than 256K through spamassassin.
>
>> --
>> Best regards,
>> Odhiambo WASHINGTON,
>> Nairobi,KE
>> +254733744121/+254722743223
>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
>> "Clothes make the man. Naked people have little or no influence on
> society."
>> -- Mark Twain
>
>
>
> I don't scan anything over 256K either and have turned off the auto
> whitelist but still having the problem
>

Do you use 'require verify = recipient'

If not, suggest you read up on it and apply it, as it will buy you
'time' to add even better tools.

No point in scanning traffic from dictionery-attack zombots.

Next step is to better qualify arrivals within Exim, so that they never
need to reach SA at all.

Most zombots can be blown off with a combination of rDNS checks, HELO
FQDN checks, and a small 'delay' or two. They are terribly impatient..

These need not be 'hard edged' tests!

A small set of 'warn' verb loading values into acl_c thence to acl_m
variables as 'scores' can be tested against a threshold and/or added to
'spamint'.

It helps to run, for example, ClamAV *before* SA, and hard-reject, as it
is a lighter system load as very, very rarely false-alarms.

At that point you can begin to 'strip' SA by optioning-off of its tests
in interpreted perl that have already made faster and cheaper within
Exim's compiled 'C'.

Ideally, a slimmed-down SA nneds a mere fraction of the resources to
complete its scan, and will only be asked to look at around 10 to 20% of
arriving traffic.

Exim will have shed the worst of the garbage beforehand.

*Many* ways to get to that point...

- but you'll need to select what fits your environment, step at a time -
and test, test, test...

Do not just adopt acl snippets that work for others without through
testing, as there are many possible interactions.

HTH,

Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

peterki at korbitec

May 7, 2009, 1:11 AM

Post #8 of 13 (2014 views)
Permalink

Re: Spamassassin [In reply to]

>Do you use 'require verify = recipient'
>
>If not, suggest you read up on it and apply it, as it will buy you
>'time' to add even better tools.
>
>No point in scanning traffic from dictionery-attack zombots.
>
>Next step is to better qualify arrivals within Exim, so that they never

>need to reach SA at all.
>
>Most zombots can be blown off with a combination of rDNS checks, HELO
>FQDN checks, and a small 'delay' or two. They are terribly impatient..
>
>These need not be 'hard edged' tests!
>
>A small set of 'warn' verb loading values into acl_c thence to acl_m
>variables as 'scores' can be tested against a threshold and/or added to

>'spamint'.
>
>It helps to run, for example, ClamAV *before* SA, and hard-reject, as
it
>is a lighter system load as very, very rarely false-alarms.
>
>At that point you can begin to 'strip' SA by optioning-off of its tests

>in interpreted perl that have already made faster and cheaper within
>Exim's compiled 'C'.
>
>Ideally, a slimmed-down SA nneds a mere fraction of the resources to
>complete its scan, and will only be asked to look at around 10 to 20%
of
>arriving traffic.
>
>Exim will have shed the worst of the garbage beforehand.
>
>*Many* ways to get to that point...
>
>- but you'll need to select what fits your environment, step at a time
-
>and test, test, test...
>
>Do not just adopt acl snippets that work for others without through
>testing, as there are many possible interactions.
>
>HTH,
>
>Bill

Hey Bill

Thanks for the info, we do, do all of the above such as blacklisting,
whitelisting, dnslists, 'require verify = recipient', clamav and the
rest of the works. Make sure that spamassassin gets the last bit of
work there is to do.

The thing is that it works fine for about 3months and then just goes
crazy and uses a lot of cpu "well perl does". In the past I always end
up fixing it by either rebooting or updating all the packages on the
server. Though im sure there must be something causing this?

The server has 1GB mem and 1cpu 2.6... running on vmware, with a big
pipe to the internet. So there should be no bottlenecks. Server
handles anything from about 10-30k incoming mails per day, and blocks
about 20-50k spam a day so its not that much under strain.

Thanks

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

graeme at graemef

May 7, 2009, 1:32 AM

Post #9 of 13 (1998 views)
Permalink

Re: Spamassassin [In reply to]

On Thu, 2009-05-07 at 10:11 +0200, Peter Kirk wrote:
> The thing is that it works fine for about 3months and then just goes
> crazy and uses a lot of cpu "well perl does". In the past I always end
> up fixing it by either rebooting or updating all the packages on the
> server. Though im sure there must be something causing this?

Possibly, but the SpamAssassin mailing lists are over there
-> http://wiki.apache.org/spamassassin/MailingLists

You could be seeing this (as you haven't mentioned any logs):

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=4138

But as the issue seems to be within SA, you'd be best off asking this
question elsewhere where the SA experts hang out.

Graeme

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wbh at conducive

May 7, 2009, 1:44 AM

Post #10 of 13 (2007 views)
Permalink

Re: Spamassassin [In reply to]

Peter Kirk wrote:
>> Do you use 'require verify = recipient'
>>
*snip*

> Hey Bill
>
> Thanks for the info, we do, do all of the above such as blacklisting,
> whitelisting, dnslists, 'require verify = recipient', clamav and the
> rest of the works. Make sure that spamassassin gets the last bit of
> work there is to do.
>
> The thing is that it works fine for about 3months and then just goes
> crazy and uses a lot of cpu "well perl does". In the past I always end
> up fixing it by either rebooting or updating all the packages on the
> server. Though im sure there must be something causing this?
>

OK - the next place I would look is that an upgrade has altered your
original SA prefs - if not the whole bleeping environment and mindset of SA.

The last few have had warnings that init.pre had changed and called for
a review, and (briefly) my last few *new* installs had far higher
workload than previous ones until smacked back into simplicity-modes.

> The server has 1GB mem and 1cpu 2.6... running on vmware, with a big
> pipe to the internet. So there should be no bottlenecks. Server
> handles anything from about 10-30k incoming mails per day, and blocks
> about 20-50k spam a day so its not that much under strain.
>
> Thanks
>
>
>

That is a suspiciously low percentage of spam to ham, IMNSHO.

Over six+ years, we see closer to 80% spam, 20% ham. And even that is
after early-rejections that are excluded from the ratio.

OTOH, the principle <domain>.<tld>'s are in use for a dozen-plus years,
on the same IP for six+, and widely harvested, so may be higher than
average spam-magnets.

Regards,

Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

peterki at korbitec

May 7, 2009, 2:38 AM

Post #11 of 13 (1998 views)
Permalink

Re: Spamassassin [In reply to]

Thanks for all the help will pass this onto the next mailing list :)

Thanks
Peter Kirk
Network, Security and Infrastructure Engineer
Korbitec (Pty) Ltd.

Tel: +27 (0) 21 658 9719 || Fax+27 (0) 21 658 9798 || Mobile: +27 (0)
84 211 2200
e-mail: Peterki [at] korbitec || Website: www.korbitec.com
This e-mail is subject to Korbitec (Pty) Ltd's e-mail disclaimer which
can be found at www.korbitec.com/email_disclaimer.htm or by e-mailing
helpdesk [at] korbitec

-----Original Message-----
From: exim-users-bounces [at] exim [mailto:exim-users-bounces [at] exim]
On Behalf Of Graeme Fowler
Sent: Thursday, May 07, 2009 10:32
To: exim users
Subject: Re: [exim] Spamassassin

On Thu, 2009-05-07 at 10:11 +0200, Peter Kirk wrote:
> The thing is that it works fine for about 3months and then just goes
> crazy and uses a lot of cpu "well perl does". In the past I always
end
> up fixing it by either rebooting or updating all the packages on the
> server. Though im sure there must be something causing this?

Possibly, but the SpamAssassin mailing lists are over there
-> http://wiki.apache.org/spamassassin/MailingLists

You could be seeing this (as you haven't mentioned any logs):

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=4138

But as the issue seems to be within SA, you'd be best off asking this
question elsewhere where the SA experts hang out.

Graeme

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

tlyons at ivenue

May 7, 2009, 5:41 AM

Post #12 of 13 (1998 views)
Permalink

Re: Spamassassin [In reply to]

On Thu, May 7, 2009 at 1:44 AM, W B Hacker <wbh [at] conducive> wrote:
>> handles anything from about 10-30k incoming mails per day, and blocks
>> about 20-50k spam a day so its not that much under strain.
>
> That is a suspiciously low percentage of spam to ham, IMNSHO.
>
> Over six+ years, we see closer to 80% spam, 20% ham. And even that is
> after early-rejections that are excluded from the ratio.

Those numbers seem pretty reasonable to me, they mirror what we see,
though undoubtedly some spam gets through. And also note that these
stats are from a different system based on sendmail.

[todd [at] tlyon ~]$ emailstats
Webmail System Statistics for 2009-05-06

TotalIncoming: 767809
RBL: 584657
Spams: 85564
Accepted: 97588
LocalDelivered: 72734
Forwarded: 24854
PercentGood: 12.7099

I'd be curious to see how this compares to others' mail breakouts.
--
Regards... Todd

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

fh-exim2003 at LF

Nov 25, 2009, 1:30 AM

Post #13 of 13 (1339 views)
Permalink

Re: Spamassassin [In reply to]

Hi,

On Tue, Nov 24, 2009 at 09:51:14AM +0100, hub [at] dohmen wrote:
>
> But ... Exim does not send the complete emailaddress to spamd, so the setup does not work. Exim only sends the $local_part, not
> $local_part@$domain.
>
> Is their a way to get round this? A how to, or so? I could not find it.

would help if you post how you call spamassassin/spamc/whatever.
Using spamc, have a look at "-u" (RTFM).

--
Regards
Frank

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads