Mailing List Archive: SpamAssassin: users

Spamassassin not tagging some emails

Index | Next | Previous | View Threaded

angus.dunn at 3idea

Oct 22, 2009, 5:59 PM

Post #1 of 17 (949 views)
Permalink

Spamassassin not tagging some emails

Hi,

I am wondering if anyone has encountered a similar problem or has a solution
for this.
I have enabled spamassassin on my mail server. Spamassassin is correctly
tagging most of the email but some of the emails are not.

The correctly tagged emails has the following in the email headers:
Return-Path: <support [at] 3idea>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
titanium.3idea.com
X-Spam-Level:
X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=ham
version=3.2.5
Received: from inspiron1505 (titanium [127.0.0.1])
by titanium.3idea.com (8.13.8/8.13.8) with ESMTP id n9N031fU015203
for <postmaster [at] austingrahaminc>; Thu, 22 Oct 2009 17:03:01 -0700
Reply-To: <support [at] 3idea>
From: "Support [at] 3ide" <support [at] 3idea>
To: <postmaster [at] austingrahaminc>
References: <000d01ca536e$1d77aa10$6400a8c0 [at] pedicuring>
In-Reply-To: <000d01ca536e$1d77aa10$6400a8c0 [at] pedicuring>
Subject: RE: You've received a postcard test
Date: Thu, 22 Oct 2009 17:03:00 -0700
Message-ID: <00fe01ca5374$2f27ce10$8d776a30$@com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcpTbjaJ1YZhm8cFRkyZRJYCPUdxZwABfEow
Content-Language: en-us

The emails that has not been tagged at all:
Return-Path: <angus.dunn [at] 3idea>
Received: from inspiron1505 (titanium [127.0.0.1])
by titanium.3idea.com (8.13.8/8.13.8) with ESMTP id n9MNutNS014287
for <support [at] 3idea>; Thu, 22 Oct 2009 16:56:55 -0700
Reply-To: <angus.dunn [at] 3idea>
From: "Angus - 3idea" <angus.dunn [at] 3idea>
To: <support [at] 3idea>
Subject: FW: You've received a postcard test
Date: Thu, 22 Oct 2009 16:56:54 -0700
Message-ID: <00e401ca5373$54c76aa0$fe563fe0$@dunn [at] 3idea>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00E5_01CA5338.A86892A0"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcpTbqcxbSi7uMYrQ6yvYdA8pD9mWwABKQzQ
Content-Language: en-us

I have confirmed that spamassassin is running all the time. It seems like
all emails with attachment are passing straight through and not evaluate by
spamassassin.
The emails that are not tagged has an attachment ecard.zm9 which is a spam
email.
The IP of the spam email is from a blacklisted mail server.

Does anyone know why spamassassin is not tagging the email with attachment?

I am using the following:
Spamassassin 3.2.5
Sendmail 8.13.8-2
Centos 5.1

If there is additional info i need to provide, please let me know.

I really appreciated your help!

Thanks,

Angus
--
View this message in context: http://www.nabble.com/Spamassassin-not-tagging-some-emails-tp26019435p26019435.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

mysqlstudent at gmail

Oct 22, 2009, 6:52 PM

Post #2 of 17 (910 views)
Permalink

Re: Spamassassin not tagging some emails [In reply to]

Hi,

On the message that should have been scanned:

> The emails that has not been tagged at all:

[...]
> From: "Angus - 3idea" <angus.dunn [at] 3idea>
> To: <support [at] 3idea>

Are you forwarding this spam from your internal account to this other
internal support [at] 3idea account? It also looked like there was no
external mail server involved.

If so, I would think that SA trusts your internal network, and
therefore is just passing the message through without even evaluating
it. If you want your internal mail to also be scanned, remove your
mail server from trusted_networks and internal_networks.

I think that should fix it.

Regards,
Alex

jarif at iki

Oct 23, 2009, 1:55 AM

Post #3 of 17 (898 views)
Permalink

Re: Spamassassin not tagging some emails [In reply to]

23.10.2009 4:52, MySQL Student kirjoitti:
> Hi,
>
> On the message that should have been scanned:
>
>> The emails that has not been tagged at all:
>
> [...]
>> From: "Angus - 3idea" <angus.dunn [at] 3idea>
>> To: <support [at] 3idea>
>
> Are you forwarding this spam from your internal account to this other
> internal support [at] 3idea account? It also looked like there was no
> external mail server involved.
>
> If so, I would think that SA trusts your internal network, and
> therefore is just passing the message through without even evaluating
> it. If you want your internal mail to also be scanned, remove your
> mail server from trusted_networks and internal_networks.
>
> I think that should fix it.
>
> Regards,
> Alex
>

SpamAssassin DOES NOT bypass scanning, if the internal or trusted
networks contain the server in it.

Own mail server MUST be in those network settings.

The questions follows:

How do you call SpamAssassin? Via spamc? How do you initiate spamc? Does
it somehow bypass local network?

--
http://www.iki.fi/jarif/

Stay away from flying saucers today.

Attachments:

signature.asc (0.25 KB)

jhardin at impsec

Oct 23, 2009, 6:43 AM

Post #4 of 17 (893 views)
Permalink

Re: Spamassassin not tagging some emails [In reply to]

On Thu, 22 Oct 2009, Angus Dunn wrote:

> I have enabled spamassassin on my mail server. Spamassassin is correctly
> tagging most of the email but some of the emails are not.

> The correctly tagged emails has the following in the email headers:
> Received: from inspiron1505 (titanium [127.0.0.1])
> by titanium.3idea.com (8.13.8/8.13.8) with ESMTP id n9N031fU015203
> for <postmaster [at] austingrahaminc>; Thu, 22 Oct 2009 17:03:01 -0700
>
>
> The emails that has not been tagged at all:
> Received: from inspiron1505 (titanium [127.0.0.1])
> by titanium.3idea.com (8.13.8/8.13.8) with ESMTP id n9MNutNS014287
> for <support [at] 3idea>; Thu, 22 Oct 2009 16:56:55 -0700
>
> I have confirmed that spamassassin is running all the time. It seems like
> all emails with attachment are passing straight through and not evaluate by
> spamassassin.

How is SA glued into your MTA? What rules, if any, are implemented to
control when a message gets passed to SA for scanning?

> The IP of the spam email is from a blacklisted mail server.

Oh? You can't tell that from the examples you posted. Both examples only
have _one_ Received: header, shoing that the message originates at
localhost.

> I am using the following:
> Spamassassin 3.2.5
> Sendmail 8.13.8-2
> Centos 5.1

> If there is additional info i need to provide, please let me know.

(1) How SA is attached to Sendmail. Via procmail? Via a milter? Via some
other package?

(2) Does the message skipping appear to be related to message size -
larger message are skipped? Is spamc in use? If so, do you have a size
limit set that would cause a message with a large attachment would be
skipped?

(3) Provide full, unedited (i.e. all headers intact) samples of a spam
message that did not get scanned and one that did get scanned and scored,
posted to a website (e.g. pastebin) and the URLs to them posted here.
Please don't send samples to the mailing list.

Something you could check:

Find where spamassassin writes its logs. It will probably be
/var/log/maillog.

Look for the message-ID of a message that was properly marked up. You
should find it.

Look for the message-ID of a message that was not marked up at all. Do you
find it?

If you don't find it then it's likely your glue layer is deciding not to
ask SA to scan the message, thus the problem does not lie in SA.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
One death is a tragedy; thirty is a media sensation;
a million is a statistic. -- Joseph Stalin, modernized
-----------------------------------------------------------------------
14 days since President Obama won the Nobel "Not George W. Bush" prize

mysqlstudent at gmail

Oct 23, 2009, 10:04 AM

Post #5 of 17 (899 views)
Permalink

Re: Spamassassin not tagging some emails [In reply to]

Hi,

> SpamAssassin DOES NOT bypass scanning, if the internal or trusted
> networks contain the server in it.

Hmm.. thanks for correcting me.

How would you, then, go about preventing SA from scanning the
localhost or a specific domain without whitelisting that domain or
range?

Thanks,
Alex

guenther at rudersport

Oct 23, 2009, 10:16 AM

Post #6 of 17 (895 views)
Permalink

Re: Spamassassin not tagging some emails [In reply to]

On Fri, 2009-10-23 at 13:04 -0400, MySQL Student wrote:
> > SpamAssassin DOES NOT bypass scanning, if the internal or trusted
> > networks contain the server in it.
>
> Hmm.. thanks for correcting me.
>
> How would you, then, go about preventing SA from scanning the
> localhost or a specific domain without whitelisting that domain or
> range?

Don't feed the mail to SA. That's the responsibility of your glue,
whatever passes mail to SA.

SA scans *any* mail it gets passed. Using the Shortcircuit plugin, you
can e.g. have SA end early -- but for shortcircuiting to happen, SA
obviously must process the mail.

--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

jarif at iki

Oct 23, 2009, 10:27 AM

Post #7 of 17 (893 views)
Permalink

Re: Spamassassin not tagging some emails [In reply to]

23.10.2009 20:04, MySQL Student kirjoitti:
> Hi,
>
>> SpamAssassin DOES NOT bypass scanning, if the internal or trusted
>> networks contain the server in it.
>
> Hmm.. thanks for correcting me.
>
> How would you, then, go about preventing SA from scanning the
> localhost or a specific domain without whitelisting that domain or
> range?
>
> Thanks,
> Alex
>

Personally, I do call SpamAssassin from maildrop (/etc/maildroprc).

That takes place as

----------------------------------------------------------------------

if ( $SCAN_SPAM == 1 )
{
xfilter "spamc -H --retry-sleep=10 --connect-retries=100 -d spamd
-u spam"
}

----------------------------------------------------------------------

Than can be done from procmailrc etc. with their own ways.

The SCAN_SPAM variable is a key in this. I can set it to 0 (default
value for script 1) using various tests.

I have various tests for that variable, that this is what whitelists the
message from being passed to SpamAssassin.

----------------------------------------------------------------------

if (( $SCAN_SPAM == 1) && /^From:\s*(.*)/ && lookup( $MATCH1,
"/usr/etc/maildrop_sender_whitelist", "D" ))
{
xfilter "reformail -A'X-Whitelisted: $MATCH1 in
/usr/etc/maildrop_sender_whitelist'"
SCAN_SPAM=0
}

----------------------------------------------------------------------

In this case, I have a text file /usr/etc/maildrop_sender_whitelist
which contains email addresses line by line, and if maildrop finds a
match from there, it sets the SCAN_SPAM to 0, thus bypassing the SA call.

This test if earlier in the maildroprc script, the spamc call is of
course in the end.

This kind of whitelisting is of course dangerous, but it it works for
me. The whitelisted addresses are mostly of type
root [at] somehost which are not abused by spammers (knock knock).

You can do all kinds of tests with maildrop. I have also this.

-----------------------------------------------------------------------
# Check for bounces. If matches, no SpamAssassin call needed, because I
do not consider bounce as spam.
if ( /^Subject: Mail Delivery Problem/ || \
/^Subject: Mail Delivery \(failure/ || \
/^Subject: Undelivered Mail Returned to Sender/ || \
/^Subject: virus found in sent message/ || \
/^Subject: failure notice / || \
/^Subject: Mail delivery failed/ || \
/^Subject: Undeliverable\:/ || \
/^Subject: Undeliverable [Mm]ail/ || \
/^Subject: Undeliverable Mail/ || \
/^Subject: Undeliverable mail/ || \
/^Subject: Returned mail\: / || \
/^Subject: DELIVERY FAILURE: User / || \
/^Subject: Yahoo! Auto Response/ || \
/^X-ME-bounce-domain:/ || \
/^X-Failed-Recipients:/ || \
/^X-Yahoo-Newman-Property: groups-bounce/ || \
/^Diagnostic-Code: X-Postfix; host / || \
/^Content-type: multipart\/report;/ || \
/^Subject: Delivery failed\:/ || \
/^Subject: DELIVERY FAILURE\:/ || \
/^Subject: MESSAGE NOT DELIVERED\: / || \
/^Subject: Delivery problem/ || \
/^Subject: Email Failure Notification/ || \
/^Subject: Email not allowed/ || \
/^Subject: failure delivery/ || \
/^Subject: failure notice/ || \
/^Subject: Mail Not Delivered/ || \
/^Subject: mail failed, returning to sender/ || \
/^Subject: Nondeliverable mail/ || \
/^Subject: Warning: could not send message for/ || \
/^Subject: MDaemon Warning - Virus Found/ || \
/^Subject: Permanent Delivery Failure/ || \
/^Subject: Mail System Error - Returned Mail/ || \
/^Subject: Mail System Error - Undeliverable Mail/ || \
/^Subject: Transient Delivery Failure/ || \
/^Subject: Message status - undeliverable/ || \
/^Subject: Warning\: message / || \
/^Subject: Mail could not be delivered/ || \
/^Subject: Your email to .* has NOT been delivered/ || \
/^Subject: Returned mail: see our site/ || \
/^Subject: Delivery failure/ )
{
`logger -p mail.info "** BOUNCE RECEIVED **"`
if (hasaddr("vesaf [at] iki"))
{
exit
}
xfilter "reformail -A'X-Whitelisted: Apparently a bounce,
SpamAssassin will not be called.'"
xfilter "reformail -A'X-Bounce: Yes '"
SCAN_SPAM=0
}

-----------------------------------------------------------------------

It does not scan for Spam Attachments if the mail is a bounce. Bounces
will be delivered to another folder with a later rule.

You have your ways, your have your tools.

--
http://www.iki.fi/jarif/

Attachments:

signature.asc (0.25 KB)

angus.dunn at 3idea

Oct 23, 2009, 3:12 PM

Post #8 of 17 (885 views)
Permalink

Re: Spamassassin not tagging some emails [In reply to]

Jari Fredriksson wrote:
>
>
>
> 23.10.2009 20:04, MySQL Student kirjoitti:
>> Hi,
>>
>>> SpamAssassin DOES NOT bypass scanning, if the internal or trusted
>>> networks contain the server in it.
>>
>> Hmm.. thanks for correcting me.
>>
>> How would you, then, go about preventing SA from scanning the
>> localhost or a specific domain without whitelisting that domain or
>> range?
>>
>> Thanks,
>> Alex
>>
>
> Personally, I do call SpamAssassin from maildrop (/etc/maildroprc).
>
> That takes place as
>
> ----------------------------------------------------------------------
>
> if ( $SCAN_SPAM == 1 )
> {
> xfilter "spamc -H --retry-sleep=10 --connect-retries=100 -d spamd
> -u spam"
> }
>
> ----------------------------------------------------------------------
>
> Than can be done from procmailrc etc. with their own ways.
>
> The SCAN_SPAM variable is a key in this. I can set it to 0 (default
> value for script 1) using various tests.
>
> I have various tests for that variable, that this is what whitelists the
> message from being passed to SpamAssassin.
>
> ----------------------------------------------------------------------
>
> if (( $SCAN_SPAM == 1) && /^From:\s*(.*)/ && lookup( $MATCH1,
> "/usr/etc/maildrop_sender_whitelist", "D" ))
> {
> xfilter "reformail -A'X-Whitelisted: $MATCH1 in
> /usr/etc/maildrop_sender_whitelist'"
> SCAN_SPAM=0
> }
>
> ----------------------------------------------------------------------
>
> In this case, I have a text file /usr/etc/maildrop_sender_whitelist
> which contains email addresses line by line, and if maildrop finds a
> match from there, it sets the SCAN_SPAM to 0, thus bypassing the SA call.
>
> This test if earlier in the maildroprc script, the spamc call is of
> course in the end.
>
> This kind of whitelisting is of course dangerous, but it it works for
> me. The whitelisted addresses are mostly of type
> root [at] somehost which are not abused by spammers (knock knock).
>
> You can do all kinds of tests with maildrop. I have also this.
>
> -----------------------------------------------------------------------
> # Check for bounces. If matches, no SpamAssassin call needed, because I
> do not consider bounce as spam.
> if ( /^Subject: Mail Delivery Problem/ || \
> /^Subject: Mail Delivery \(failure/ || \
> /^Subject: Undelivered Mail Returned to Sender/ || \
> /^Subject: virus found in sent message/ || \
> /^Subject: failure notice / || \
> /^Subject: Mail delivery failed/ || \
> /^Subject: Undeliverable\:/ || \
> /^Subject: Undeliverable [Mm]ail/ || \
> /^Subject: Undeliverable Mail/ || \
> /^Subject: Undeliverable mail/ || \
> /^Subject: Returned mail\: / || \
> /^Subject: DELIVERY FAILURE: User / || \
> /^Subject: Yahoo! Auto Response/ || \
> /^X-ME-bounce-domain:/ || \
> /^X-Failed-Recipients:/ || \
> /^X-Yahoo-Newman-Property: groups-bounce/ || \
> /^Diagnostic-Code: X-Postfix; host / || \
> /^Content-type: multipart\/report;/ || \
> /^Subject: Delivery failed\:/ || \
> /^Subject: DELIVERY FAILURE\:/ || \
> /^Subject: MESSAGE NOT DELIVERED\: / || \
> /^Subject: Delivery problem/ || \
> /^Subject: Email Failure Notification/ || \
> /^Subject: Email not allowed/ || \
> /^Subject: failure delivery/ || \
> /^Subject: failure notice/ || \
> /^Subject: Mail Not Delivered/ || \
> /^Subject: mail failed, returning to sender/ || \
> /^Subject: Nondeliverable mail/ || \
> /^Subject: Warning: could not send message for/ || \
> /^Subject: MDaemon Warning - Virus Found/ || \
> /^Subject: Permanent Delivery Failure/ || \
> /^Subject: Mail System Error - Returned Mail/ || \
> /^Subject: Mail System Error - Undeliverable Mail/ || \
> /^Subject: Transient Delivery Failure/ || \
> /^Subject: Message status - undeliverable/ || \
> /^Subject: Warning\: message / || \
> /^Subject: Mail could not be delivered/ || \
> /^Subject: Your email to .* has NOT been delivered/ || \
> /^Subject: Returned mail: see our site/ || \
> /^Subject: Delivery failure/ )
> {
> `logger -p mail.info "** BOUNCE RECEIVED **"`
> if (hasaddr("vesaf [at] iki"))
> {
> exit
> }
> xfilter "reformail -A'X-Whitelisted: Apparently a bounce,
> SpamAssassin will not be called.'"
> xfilter "reformail -A'X-Bounce: Yes '"
> SCAN_SPAM=0
> }
>
> -----------------------------------------------------------------------
>
> It does not scan for Spam Attachments if the mail is a bounce. Bounces
> will be delivered to another folder with a later rule.
>
> You have your ways, your have your tools.
>
> --
> http://www.iki.fi/jarif/
>
>
>
>
>

Hi All,

Thank you for the useful tips. I have tried the following:
1. trusted_networks/internal_networks - I checked the conf file for
spamassassin /etc/mail/spamassassin/local.cf, there is no reference to
trusted_networks or internal_networks. I also clear those two setting just
in case with the following settings:

clear_trusted_networks
clear_internal_networks

trusted_networks
internal_networks

But this does not help. The spam emails still did not get tag.

2. I am using procmailrc to invoke spamassassin.
Here is the /etc/procmailrc:
DROPPRIVS=yes
:0fw
* < 25600
| /usr/bin/spamc

:0
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*
/dev/null
~

As someone suggested, this may be due to size of the email. It looks like
spamassassion will not be invoked if email is larger than 25600 bytes.

I changed the above to the following:

DROPPRIVS=yes
:0fw
* < 102400
| /usr/bin/spamc

:0
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*
/dev/null

That seems to fix the problem.
I also have a question:
Do i really need to check for the size of email? Should I just remove the
size check?

Thanks,

Angus

--
View this message in context: http://www.nabble.com/Spamassassin-not-tagging-some-emails-tp26019435p26033969.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

jhardin at impsec

Oct 23, 2009, 3:30 PM

Post #9 of 17 (882 views)
Permalink

Re: Spamassassin not tagging some emails [In reply to]

On Fri, 23 Oct 2009, Angus Dunn wrote:

> :0fw
> * < 25600
> | /usr/bin/spamc

*chuckle* Yeah, that'd do it all right.

> It looks like spamassassion will not be invoked if email is larger than
> 25600 bytes.

Correct.

> :0fw
> * < 102400
> | /usr/bin/spamc

100KB is still rather small for an email with scannable attachments.

> That seems to fix the problem.
> I also have a question:
> Do i really need to check for the size of email? Should I just remove the
> size check?

spamc also has a size limit; that you aren't specifying it means it's
using its internal default. See the spamc documentation for what that is
and how to set it.

You should probably have your procmail rule set to the same size limit as
spamc is using, and make both explicit. That will minimize overhead for
messages larger than the limit and make it clear what is going on.

The size limit is generally set to 400-500KB. If you have an underpowered
MTA/SA box you might want to set it smaller to reduce scanning load. Also
take into consideration whether what you set it to lets an unacceptable
amount of large spams to get through.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...in the 2nd amendment the right to arms clause means you have
the right to choose how many arms you want, and the militia clause
means that Congress can punish you if the answer is "none."
-- David Hardy, 2nd Amendment scholar
-----------------------------------------------------------------------
14 days since President Obama won the Nobel "Not George W. Bush" prize

d.hill at yournetplus

Oct 23, 2009, 3:36 PM

Post #10 of 17 (885 views)
Permalink

Re: Spamassassin not tagging some emails [In reply to]

Quoting Angus Dunn <angus.dunn [at] 3idea>:

> 2. I am using procmailrc to invoke spamassassin.
> Here is the /etc/procmailrc:
> DROPPRIVS=yes
> :0fw
> * < 25600
> | /usr/bin/spamc
>
> :0
> * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*
> /dev/null
> ~
>
> As someone suggested, this may be due to size of the email. It looks like
> spamassassion will not be invoked if email is larger than 25600 bytes.
>
> I changed the above to the following:
>
> DROPPRIVS=yes
> :0fw
> * < 102400
> | /usr/bin/spamc
>
> :0
> * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*
> /dev/null
>
>
> That seems to fix the problem.
> I also have a question:
> Do i really need to check for the size of email? Should I just remove the
> size check?

spamc documentation shows the default scan size is 500Kb. If you have
the system resources, you could eliminate the size restriction. I'm
calling spamc directly from the MTA and have the size set to 256Kb.

guenther at rudersport

Oct 23, 2009, 3:44 PM

Post #11 of 17 (885 views)
Permalink

Re: Spamassassin not tagging some emails [In reply to]

On Fri, 2009-10-23 at 15:12 -0700, Angus Dunn wrote:
> Thank you for the useful tips. I have tried the following:
> 1. trusted_networks/internal_networks - I checked the conf file for
> spamassassin /etc/mail/spamassassin/local.cf, there is no reference to
> trusted_networks or internal_networks. I also clear those two setting just
> in case with the following settings:

As has been clarified, this is not your issue. No way it will skip
scanning.

> clear_trusted_networks
> clear_internal_networks
>
> trusted_networks
> internal_networks

Please check the Conf docs. If you don't have any need to specifically
set them, just leave out all those options and let the magic work.

> But this does not help. The spam emails still did not get tag.
>
> 2. I am using procmailrc to invoke spamassassin.
> Here is the /etc/procmailrc:
> DROPPRIVS=yes
> :0fw
> * < 25600
> | /usr/bin/spamc

That's 25 kByte! Yes, that is your problem. Any mail larger than that
will NOT be processed by SA.

The default has been 500 kByte for a long time, and was 250 kByte
before. That line looks like an obvious *typo* to me. An ancient one.

> As someone suggested, this may be due to size of the email. It looks like
> spamassassion will not be invoked if email is larger than 25600 bytes.
>
> I changed the above to the following:
>
> DROPPRIVS=yes
> :0fw
> * < 102400
> | /usr/bin/spamc

100 kByte, still really low.

> That seems to fix the problem.
> I also have a question:
> Do i really need to check for the size of email? Should I just remove the
> size check?

man spamc. Without that procmail condition, spamc simply will return any
messages exceeding the (default) size limit unprocessed. Using an
explicit limit here will spare the unnecessary filter, since spamc won't
even be called.

I recommend setting it to the limit you want enforced -- and hence
setting it to 500 kByte if you don't want to change the spamc default.

--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

d.hill at yournetplus

Oct 23, 2009, 4:01 PM

Post #12 of 17 (886 views)
Permalink

Re: Spamassassin not tagging some emails [In reply to]

Quoting Karsten Br�ckelmann <guenther [at] rudersport>:

>> But this does not help. The spam emails still did not get tag.
>>
>> 2. I am using procmailrc to invoke spamassassin.
>> Here is the /etc/procmailrc:
>> DROPPRIVS=yes
>> :0fw
>> * < 25600
>> | /usr/bin/spamc
>
> That's 25 kByte! Yes, that is your problem. Any mail larger than that
> will NOT be processed by SA.
>
> The default has been 500 kByte for a long time, and was 250 kByte
> before. That line looks like an obvious *typo* to me. An ancient one.

Add another zero and it would have been about 256Kb.

jhardin at impsec

Oct 23, 2009, 4:11 PM

Post #13 of 17 (885 views)
Permalink

Re: Spamassassin not tagging some emails [In reply to]

On Fri, 23 Oct 2009, d.hill [at] yournetplus wrote:

> Quoting Karsten Br�ckelmann <guenther [at] rudersport>:
>
>> > But this does not help. The spam emails still did not get tag.
>> >
>> > 2. I am using procmailrc to invoke spamassassin.
>> > Here is the /etc/procmailrc:
>> > DROPPRIVS=yes
>> > : 0fw
>> > * < 25600
>> > | /usr/bin/spamc
>>
>> That's 25 kByte! Yes, that is your problem. Any mail larger than that
>> will NOT be processed by SA.
>>
>> The default has been 500 kByte for a long time, and was 250 kByte
>> before. That line looks like an obvious *typo* to me. An ancient one.
>
> Add another zero and it would have been about 256Kb.

That's why we think it's a fossilized typo.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
An entitlement beneficiary is a person or special interest group
who didn't earn your money, but demands the right to take your
money because they *want* it. -- John McKay, _The Welfare State:
No Mercy for the Middle Class_
-----------------------------------------------------------------------
14 days since President Obama won the Nobel "Not George W. Bush" prize

guenther at rudersport

Oct 23, 2009, 4:22 PM

Post #14 of 17 (882 views)
Permalink

Re: Spamassassin not tagging some emails [In reply to]

On Fri, 2009-10-23 at 16:11 -0700, John Hardin wrote:
> On Fri, 23 Oct 2009, d.hill [at] yournetplus wrote:
> > Quoting Karsten Bräckelmann <guenther [at] rudersport>:

> > > > : 0fw
> > > > * < 25600
> > > > | /usr/bin/spamc
> > >
> > > That's 25 kByte! Yes, that is your problem. Any mail larger than that
> > > will NOT be processed by SA.
> > >
> > > The default has been 500 kByte for a long time, and was 250 kByte
> > > before. That line looks like an obvious *typo* to me. An ancient one.
> >
> > Add another zero and it would have been about 256Kb.

Which would be exactly why I claimed this to look like a...

> That's why we think it's a fossilized typo.

Err, right, thanks. ;-)

--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

angus.dunn at 3idea

Oct 23, 2009, 4:39 PM

Post #15 of 17 (884 views)
Permalink

Re: Spamassassin not tagging some emails [In reply to]

Thanks everyone for your help!

I have changed procmailrc to the following:
DROPPRIVS=yes
:0fw
* < 512000
| /usr/bin/spamc

:0
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*
/dev/null

It is now working fine.

Someone mentioned that i can actually invoke spamassassin directly from
sendmail. What will be the advantage/disadvantage to do that? Also any docs
on how to do that?

Thanks,

Angus

d.hill wrote:
>
> Quoting Karsten Bräckelmann <guenther [at] rudersport>:
>
>>> But this does not help. The spam emails still did not get tag.
>>>
>>> 2. I am using procmailrc to invoke spamassassin.
>>> Here is the /etc/procmailrc:
>>> DROPPRIVS=yes
>>> :0fw
>>> * < 25600
>>> | /usr/bin/spamc
>>
>> That's 25 kByte! Yes, that is your problem. Any mail larger than that
>> will NOT be processed by SA.
>>
>> The default has been 500 kByte for a long time, and was 250 kByte
>> before. That line looks like an obvious *typo* to me. An ancient one.
>
> Add another zero and it would have been about 256Kb.
>
>
>

--
View this message in context: http://www.nabble.com/Spamassassin-not-tagging-some-emails-tp26019435p26034712.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

d.hill at yournetplus

Oct 23, 2009, 5:25 PM

Post #16 of 17 (887 views)
Permalink

Re: Spamassassin not tagging some emails [In reply to]

Quoting Angus Dunn <angus.dunn [at] 3idea>:

> Thanks everyone for your help!
>
> I have changed procmailrc to the following:
> DROPPRIVS=yes
> :0fw
> * < 512000
> | /usr/bin/spamc
>
> :0
> * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*
> /dev/null
>
> It is now working fine.
>
> Someone mentioned that i can actually invoke spamassassin directly from
> sendmail. What will be the advantage/disadvantage to do that? Also any docs
> on how to do that?

Seeing as you responded to my message, I don't recall seeing anyone
mentioning a particular MTA. I could be wrong as I jumped into the
conversation late. I invoke SA directly from Postfix, myself.

dbfunk at engineering

Oct 26, 2009, 11:37 AM

Post #17 of 17 (812 views)
Permalink

Re: Spamassassin not tagging some emails [In reply to]

On Fri, 23 Oct 2009, Angus Dunn wrote:

>
> Thanks everyone for your help!
>
> I have changed procmailrc to the following:
> DROPPRIVS=yes
> :0fw
> * < 512000
> | /usr/bin/spamc
>
> :0
> * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*
> /dev/null
>
> It is now working fine.
>
> Someone mentioned that i can actually invoke spamassassin directly from
> sendmail. What will be the advantage/disadvantage to do that? Also any docs
> on how to do that?
>
> Thanks,
>
> Angus

Check the SA wiki for "IntegradedInMta"
http://wiki.apache.org/spamassassin/IntegratedInMta

There are multiple sendmail 'milters' (EG spamas-milter, milterassassin)
which will do that, other kinds of more exotic integration systems
(EG MIMEDefang, amavis2, etc).

General advantages: can filter all mail passing thru your system not just
locally delivered messages, only need to call once per message not per
recipient, can do SMTP rejects of high-scoring spam, etc

General disadvantage: harder to do per-user customization of rules etc.

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads