[Mimedefang] Some spam tests not running Timeout maybe

David Reta DavidR at Narus.com
Wed Jan 24 13:59:13 EST 2007 

Thanks for the help. The output of the following two commands is
matching up.

Spamassassin -p /etc/mail/sa-mimedefang.cf < ENTIRE_MESSAGE 
Spamassassin -p /etc/mail/spamassassin/sa-mimedefang.cf <
ENTIRE_MESSAGE.

The 2 files are linked, also local.cf is linked to
/etc/mail/spamassassin/sa-mimedefang.cf

The bayes is the same. I fed it through bayes before I sent the second
output, sorry about that.

It seems that the SARE rules I have are not being picked up. These are
in /var/lib/spamassassin/3.001007.
None of the messages that are running through Mimedefang are hitting any
of these rules. Should I put all those files as includes in the
/etc/mail/spamassassin/sa-mimedefang.cf? Something like 
include
/var/lib/spamassassin/3.001007/99_sare_adult_cf_sare_sa-update_dostech_n
et.cf

Content preview:  Genuie and from the Original manufacturer are selling
by
  Trusted vendor. Don't miss this chance to buy Hight-Quality
production!
  Our online shop: http://golfmaywood.info [...] 

Content analysis details:   (12.9 points, 5.0 required)

 pts rule name              description
---- ----------------------
--------------------------------------------------
 1.1 EXTRA_MPART_TYPE       Header has extraneous Content-type:...type=
entry
 1.1 SPF_NEUTRAL            SPF: sender does not match SPF record
(neutral)
[SPF failed: Please see
http://spf.pobox.com/why.html?sender=berry%40artstheatreschool.com&ip=89
.35.3
9.20&receiver=mx1]
 1.3 INFO_TLD               URI: Contains an URL in the INFO top-level
domain
 0.0 HTML_MESSAGE           BODY: HTML included in message
 4.0 BAYES_99               BODY: Bayesian spam probability is 99 to
100%
                            [score: 1.0000]
 0.5 HTML_IMAGE_ONLY_16     BODY: HTML: images with 1200-1600 bytes of
words
 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                            above 50%
                            [cf: 100]
 2.0 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 1.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]

Content preview:  Genuie and from the Original manufacturer are selling
by
  Trusted vendor. Don't miss this chance to buy Hight-Quality
production!
  Our online shop: http://golfmaywood.info [...] 

Content analysis details:   (34.9 points, 5.0 required)

 pts rule name              description
---- ----------------------
--------------------------------------------------
  10 FH_MSGID_XXX           Message-Id = @xxx
 1.1 EXTRA_MPART_TYPE       Header has extraneous Content-type:...type=
entry
-0.0 NO_RELAYS              Informational: message was not relayed via
SMTP
 1.3 INFO_TLD               URI: Contains an URL in the INFO top-level
domain
 0.0 HTML_MESSAGE           BODY: HTML included in message
 4.0 BAYES_99               BODY: Bayesian spam probability is 99 to
100%
                            [score: 1.0000]
 0.5 HTML_IMAGE_ONLY_16     BODY: HTML: images with 1200-1600 bytes of
words
 0.8 SARE_GIF_ATTACH        FULL: Email has a inline gif
 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                            above 50%
                            [cf: 100]
 2.0 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
 1.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                            [cf: 100]
 3.0 URIBL_BLACK            Contains an URL listed in the URIBL
blacklist
                            [URIs: golfmaywood.info]
 0.9 MY_CID_AND_CLOSING     SARE cid and closing
 0.7 MY_CID_AND_STYLE       SARE cid and style
 1.2 MY_CID_ARIAL2_CLOSING  SARE cid arial2 closing
 1.1 MY_CID_ARIAL_STYLE     SARE cid arial2 style
 0.7 MY_CID_AND_ARIAL2      SARE CID and Arial2
 0.9 FM_NO_STYLE            FM_NO_STYLE
-0.0 NO_RECEIVED            Informational: message has no Received
headers
 1.7 SARE_GIF_STOX          Inline Gif with little HTML
 1.1 FM_MULTI_ODD2          FM_MULTI_ODD2
 0.7 FM_MULTI_ODD3          FM_MULTI_ODD3

[root at mx2 MD-Quarantine]# more /etc/mail/spamassassin/sa-mimedefang.cf

rewrite_header Subject *****SPAM*****
ok_locales all
lock_method nfssafe
required_score 5.0
dns_available yes
uridnsbl_timeout 30
use_razor2 1
use_auto_whitelist 0
use_bayes 1
bayes_auto_learn 1
rbl_timeout 20

bayes_store_module      Mail::SpamAssassin::BayesStore::SQL
bayes_sql_dsn           DBI:mysql:Spam:mx1:3306
bayes_sql_username      defang
bayes_sql_password      defang
bayes_auto_learn_threshold_spam 10.0
bayes_auto_learn_threshold_nonspam -2.0

score SARE_DIPLOMA2 10.0
score RCVD_IN_BL_SPAMCOP_NET 10.0
score RAZOR2_CHECK 2.0
score RAZOR2_CF_RANGE_51_100 1.5
score RAZOR2_CF_RANGE_E4_51_100 2.0
score FUZZY_SOFTWARE 10.0
score ALL_TRUSTED 0
score SPF_PASS -1.0
score SPF_HELO_PASS -1.0
score BAYES_99 4.0

Thanks,
David

-----Original Message-----
From: mimedefang-bounces at lists.roaringpenguin.com
[mailto:mimedefang-bounces at lists.roaringpenguin.com] On Behalf Of
Jan-Pieter Cornet
Sent: Wednesday, January 24, 2007 3:34 AM
To: mimedefang at lists.roaringpenguin.com
Subject: Re: [Mimedefang] Some spam tests not running Timeout maybe

On Tue, Jan 23, 2007 at 06:24:53PM -0800, David Reta wrote:
> I am having an issue with some spam slipping through. When I check the

> MSG.0 file from the quarantine against a manual run of the 
> ENTIRE_MESSAGE file from the quarantine there are rules that are not 
> hit. I am running them manually as the same user as mimedefang so I 
> don't think it could be a permission issue. Is there a timeout setting

> or something else I could be missing that could be causing this?
>  
> Any help is appreciated.

"spamassassin" as a standalone binary uses another configuration file as
the spamassassin integrated into mimedefang does. That is likely your
problem... try to compare with:

spamassassin -p /etc/mail/sa-mimedefang.cf < ENTIRE_MESSAGE

Then possibly tweak your sa-mimedefang.cf
  
> Here is an example from the quarantine
>  
> [defang at mx1 qdir-2007-01-23-16.27.29-001]$ more MSG.0
[...]
> Content analysis details:   (0.6 points, 5.0 required)
>  
>  0.603 5 BAYES_00,HTML_MESSAGE,MIME_HTML_ONLY,NO_DNS_FOR_FROM
>  
> Here is the output from when it manually
>  
> [defang at mx1 qdir-2007-01-23-16.27.29-001]$  spamassassin < 
> ENTIRE_MESSAGE
[...]
> X-Spam-Status: Yes, score=5.8 required=5.0
tests=BAYES_50,DBL_12_LETTER_FLDR,
>
DBL_12_LETTER_PGIMG,HTML_MESSAGE,MIME_HTML_ONLY,SARE_FORGED_PAYPAL,
>         SARE_FORGED_PAYPAL_C,SARE_SPOOF_BADURL,SPF_HELO_PASS
autolearn=no 
>         version=3.1.7

Note that you also use a different bayes database, apparently. Compare
the configs of sa-mimedefang.cf and all *.cf files under
/etc/mail/spamassassin. You could if you like put something like
"include /etc/mail/spamassassin/local.cf" in your sa-mimedefang.cf,
along with any other *.cf files you want to use.

(This assumes spamassassin actually uses /etc/mail/spamassassin, and
mimedefang uses /etc/mail. Substitute the appropriate paths for your
setup, if necessary)

--
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disclamer: The addressee of this email is not the intended recipient.
!!
!! This is only a test of the echelon and data retention systems. Please
!!
!! archive this message indefinitely to allow verification of the logs.
!!
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang


This email and attachments may contain Narus, Inc. confidential material. If you are not the intended recipient, contact the sender immediately and delete all instances of this email and attachments.

More information about the MIMEDefang mailing list