From merlin@merlins.org Wed May 08 11:37:30 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #92 (Debian)) id 175WJe-0005eT-00 for ; Wed, 08 May 2002 11:37:30 -0700 Date: Tue, 7 May 2002 21:37:43 -0700 From: Marc MERLIN To: dman Message-ID: <20020508043739.GC23095@merlins.org> References: <20020506165408.GX29582@merlins.org> <20020507071529.GI29582@merlins.org> <20020508040620.GA5529@dman.ddts.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020508040620.GA5529@dman.ddts.net> User-Agent: Mutt/1.3.25i X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 2.4.14-lvm1.0.1rc4-ext3-0.9.15-grsec-1.8.8-servers11/Debian woody X-Mailer: Some Outlooks can't quote properly without this header Resent-From: merlin@merlins.org Resent-Date: Wed, 8 May 2002 11:37:30 -0700 Resent-To: sa-exim@merlins.org Resent-Message-Id: Subject: [SA-exim] Re: feedback: SpamAssassin at SMTP time in local_scan X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b1 Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Wed, 08 May 2002 18:37:30 -0000 On Tue, May 07, 2002 at 11:06:20PM -0500, dman wrote: > On Tue, May 07, 2002 at 12:15:30AM -0700, Marc MERLIN wrote: > | On Mon, May 06, 2002 at 09:54:09AM -0700, Marc MERLIN wrote: > > | > http://marc.merlins.org/linux/exim/sa.html > > Line 63 of local_scan.c is dead code. Yeah, thanks (working on your Subject suggestion right now). That's obviously left over from the hardcoding I had before transfering everything to options. > Why do you have the config file in /etc/mail instead of /etc/exim? Good question :-) That's because I've been maintaining exim locally for long enough and migrated everything to /etc/mail before the exim package thought about doing it too, but to /etc/exim. My plan was for it to try reading the config file from /etc/mail, /etc/exim, and /etc I'll probably do that tonight. I'll answer your post on exim-users separately. Thanks for the feedback, it is appreciated. Marc -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From merlin@merlins.org Wed May 08 11:36:39 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #92 (Debian)) id 175WIp-0000HC-00 for ; Wed, 08 May 2002 11:36:39 -0700 Received: from mail.vasoftware.com ([198.186.202.175]:48001) by mail2.merlins.org with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 4.04 #80 (Debian)) id 175IZb-0006xT-00 for ; Tue, 07 May 2002 20:57:03 -0700 Received: from [65.107.69.216] (helo=dman.ddts.net) by mail.vasoftware.com with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 3.31-VA-mm2 #1 (Debian)) id 175IZW-0003qb-00 for ; Tue, 07 May 2002 20:56:58 -0700 Received: from dman by dman.ddts.net (Exim 4.04 #2 (Debian)) protocol: local id 175Iia-0001SX-00 for ; Tue, 07 May 2002 23:06:20 -0500 Date: Tue, 7 May 2002 23:06:20 -0500 From: dman To: Marc MERLIN Message-ID: <20020508040620.GA5529@dman.ddts.net> References: <20020506165408.GX29582@merlins.org> <20020507071529.GI29582@merlins.org> Mime-Version: 1.0 Content-Disposition: inline In-Reply-To: <20020507071529.GI29582@merlins.org> User-Agent: Mutt/1.3.28i X-Operating-System: Debian GNU/Linux X-Kernel-Version: 2.4.18-custom.3 X-Uptime: 23:01:17 up 18 days, 23:42, 6 users, load average: 0.22, 0.30, 0.38 X-Editor: VIM - Vi IMproved 6.1 (2002 Mar 24, compiled Apr 14 2002 20:44:53) Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="yrj/dFKFPuw6o+aM" X-Spam-Level: X-Spam-Status: No, hits=-3.6 required=7.0 tests=IN_REP_TO,SIGNATURE_DELIM version=2.20 X-Spam-Level: Resent-From: merlin@merlins.org Resent-Date: Wed, 8 May 2002 11:36:39 -0700 Resent-To: sa-exim@merlins.org Resent-Message-Id: X-Mailman-Approved-At: Wed, 08 May 2002 18:38:17 -0000 Subject: [SA-exim] feedback: SpamAssassin at SMTP time in local_scan X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b1 Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Wed, 08 May 2002 18:36:40 -0000 --yrj/dFKFPuw6o+aM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 07, 2002 at 12:15:30AM -0700, Marc MERLIN wrote: | On Mon, May 06, 2002 at 09:54:09AM -0700, Marc MERLIN wrote: | > http://marc.merlins.org/linux/exim/sa.html Line 63 of local_scan.c is dead code. Why do you have the config file in /etc/mail instead of /etc/exim? -D --=20 "He is no fool who gives up what he cannot keep to gain what he cannot lose= ." --Jim Elliot =20 GnuPG key : http://dman.ddts.net/~dman/public_key.gpg --yrj/dFKFPuw6o+aM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzYpDwACgkQO8l8XBKTpRSB0QCffT9yOq9vfQEwuLRNBUT3vqdi D0MAn23giR7M3s4WxZ1v2MaKyFDnNcf9 =5oaQ -----END PGP SIGNATURE----- --yrj/dFKFPuw6o+aM-- From merlin@merlins.org Wed May 08 11:36:40 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #92 (Debian)) id 175WIp-0001pc-00 for ; Wed, 08 May 2002 11:36:39 -0700 Received: from [65.107.69.216] (port=39138 helo=dman.ddts.net) by mail2.merlins.org with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 4.04 #92 (Debian)) id 175Uvo-0008L7-00 for ; Wed, 08 May 2002 10:08:49 -0700 Received: from dman by dman.ddts.net (Exim 4.04 #8 (Debian)) protocol: local id 175V4y-0003xH-00 for ; Wed, 08 May 2002 12:18:16 -0500 Date: Wed, 8 May 2002 12:18:16 -0500 From: dman To: Marc MERLIN Message-ID: <20020508171816.GB14838@dman.ddts.net> References: <20020506165408.GX29582@merlins.org> <20020507071529.GI29582@merlins.org> <20020508040620.GA5529@dman.ddts.net> <20020508043739.GC23095@merlins.org> Mime-Version: 1.0 Content-Disposition: inline In-Reply-To: <20020508043739.GC23095@merlins.org> User-Agent: Mutt/1.3.28i X-Operating-System: Debian GNU/Linux X-Kernel-Version: 2.4.18-custom.3 X-Uptime: 11:47:40 up 19 days, 12:28, 4 users, load average: 0.16, 0.09, 0.02 X-Editor: VIM - Vi IMproved 6.1 (2002 Mar 24, compiled Apr 14 2002 20:44:53) Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8" X-Spam-Level: X-Spam-Status: No, hits=-3.6 required=7.0 tests=IN_REP_TO,SIGNATURE_DELIM version=2.20 X-Spam-Level: Resent-From: merlin@merlins.org Resent-Date: Wed, 8 May 2002 11:36:39 -0700 Resent-To: sa-exim@merlins.org Resent-Message-Id: X-Mailman-Approved-At: Wed, 08 May 2002 18:38:17 -0000 Subject: [SA-exim] Re: feedback: SpamAssassin at SMTP time in local_scan X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b1 Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Wed, 08 May 2002 18:36:40 -0000 --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 07, 2002 at 09:37:46PM -0700, Marc MERLIN wrote: | On Tue, May 07, 2002 at 11:06:20PM -0500, dman wrote: | > On Tue, May 07, 2002 at 12:15:30AM -0700, Marc MERLIN wrote: | > | http://marc.merlins.org/linux/exim/sa.html | >=20 | > Line 63 of local_scan.c is dead code. | =20 | Yeah, thanks (working on your Subject suggestion right now). Tha= t's | obviously left over from the hardcoding I had before transfering everyth= ing | to options. Cool, I see the Subject thing works now. | > Why do you have the config file in /etc/mail instead of /etc/exim? |=20 | Good question :-) | That's because I've been maintaining exim locally for long enough = and | migrated everything to /etc/mail before the exim package thought about do= ing | it too, but to /etc/exim. Ok, makes sense. | My plan was for it to try reading the config file from | /etc/mail, /etc/exim, and /etc | I'll probably do that tonight. I don't think that's a big deal since there's no dynamic loading of the function anyways. Each installation must compile it for themself, and thus can change it. KISS. Worst-case scenario is to use a symlink. | I'll answer your post on exim-users separately. Good -- that will allow proper inline posting :-). =20 | Thanks for the feedback, it is appreciated. You're welcome. I added these lines at line 175 in version 1.1. /* make the file a valid mbox for convenience */ #define FROM "From Wed Dec 31 23:59:59 UTC 1969\n" ret=3Dwrite( writefd , FROM , strlen(FROM) ) ; CHECKERR(ret,string_sprintf("'From ' line write in %s", filename),__LIN= E__); It's convenient because 'mutt -f' will see it as a mbox folder (with just one message) and 'vim' wil automatically syntax highlight it correctly. I'm planning on adjusting the logic a bit at some point. My idea is to read the first line of output from the program to determine whether it passes or fails and to extract the error message from that. The rest of the output would be RFC2822 headers to update in the message. Obviously 'spamc' would not work as the program in this scenario. My reasoning is to generalize it a bit to facilitate writing my own scanner that, in addition to delegating to spamc, would check for klez and similar junk for immediate rejection. This program, at a minimum, would frontend spamc and adapt spamc's output to fit the format (and include the logic to determine pass/fail and build the error message). This would make the local_scan more similar to exiscan in operation (deferring to an external program for result and message) but would keep the ability to modify a message's headers and save them for the admin to monitor. I also expect it would reduce the amount of C in the local_scan. I am having a problem with the saving of messages, though. I want them in a maildir folder. That's easy enough; I just specified a path like /var/mail/dman/SApermreject/new and made the cur and tmp directories myself. The problem is in permissions. All the /var/mail/dman/SA**/* directories are dman:mail, 6770. However files would still be created as mail:mail 0600. Thus my user account couldn't read them. I've temporarily solved the problem by adjusting the creat() call to set the perms to 666. I thought making the directory SUID me would force the files to be owned by me. -D --=20 If we claim we have not sinned, we make Him out to be a liar and His Word has no place in our lives. I John 1:10 =20 GnuPG key : http://dman.ddts.net/~dman/public_key.gpg --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzZXdgACgkQO8l8XBKTpRQdCQCeNCAMbIpBBoWumUn7K86qK3tF l1UAnjzXMIGyxUaI3rJNgOKXWhTrmHdj =bMPD -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8-- From merlin@merlins.org Wed May 08 12:03:51 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #92 (Debian)) id 175Wj8-0001lA-00; Wed, 08 May 2002 12:03:50 -0700 Date: Wed, 8 May 2002 12:03:50 -0700 From: Marc MERLIN To: dman Cc: sa-exim@merlins.org Message-ID: <20020508190350.GD32550@merlins.org> References: <20020506165408.GX29582@merlins.org> <20020507071529.GI29582@merlins.org> <20020508040620.GA5529@dman.ddts.net> <20020508043739.GC23095@merlins.org> <20020508171816.GB14838@dman.ddts.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="FCuugMFkClbJLl1L" Content-Disposition: inline In-Reply-To: <20020508171816.GB14838@dman.ddts.net> User-Agent: Mutt/1.3.25i X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 2.4.14-lvm1.0.1rc4-ext3-0.9.15-grsec-1.8.8-servers11/Debian woody X-Mailer: Some Outlooks can't quote properly without this header Subject: [SA-exim] Re: feedback: SpamAssassin at SMTP time in local_scan X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b1 Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Wed, 08 May 2002 19:03:51 -0000 --FCuugMFkClbJLl1L Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 08, 2002 at 12:18:16PM -0500, dman wrote: > | Yeah, thanks (working on your Subject suggestion right now). T= hat's > | obviously left over from the hardcoding I had before transfering every= thing > | to options. >=20 > Cool, I see the Subject thing works now. =20 Yep, I just wanted to run the code overnight before announcing it and announcing this list (no need to further annoy people on exim-users who aren't interested) So, you probably saw I posted version 1.1 (changelog on the web site and inside the code) =20 > | My plan was for it to try reading the config file from /etc/mail, > | /etc/exim, and /etc > | I'll probably do that tonight. >=20 > I don't think that's a big deal since there's no dynamic loading of the > function anyways. Each installation must compile it for themself, and > thus can change it. KISS. Worst-case scenario is to use a symlink. I didn't get around to it since I had to go to bed eventually, but I agree with you. I think that's why I didn't do it the first time around. > I added these lines at line 175 in version 1.1. >=20 > /* make the file a valid mbox for convenience */ > #define FROM "From Wed Dec 31 23:59:59 UTC 1969\n" > ret=3Dwrite( writefd , FROM , strlen(FROM) ) ; > CHECKERR(ret,string_sprintf("'From ' line write in %s", filename),__L= INE__); >=20 > It's convenient because 'mutt -f' will see it as a mbox folder (with > just one message) and 'vim' wil automatically syntax highlight it > correctly. =20 That's a good idea, I'll add that. =20 > I'm planning on adjusting the logic a bit at some point. My idea is > to read the first line of output from the program to determine whether > it passes or fails and to extract the error message from that. The > rest of the output would be RFC2822 headers to update in the message. > Obviously 'spamc' would not work as the program in this scenario. My > reasoning is to generalize it a bit to facilitate writing my own > scanner that, in addition to delegating to spamc, would check for klez > and similar junk for immediate rejection. This program, at a minimum, > would frontend spamc and adapt spamc's output to fit the format (and > include the logic to determine pass/fail and build the error message). =20 Yeah, I've also given some thought into moving my system_filter rejects at SMTP time. That said, each of them can be done with a condition statement in the RCPT or DATA ACL, so they may be better off there. =20 > This would make the local_scan more similar to exiscan in operation > (deferring to an external program for result and message) but would > keep the ability to modify a message's headers and save them for the > admin to monitor. I also expect it would reduce the amount of C in > the local_scan. That's an option. =20 > I am having a problem with the saving of messages, though. I want > them in a maildir folder. That's easy enough; I just specified a path > like /var/mail/dman/SApermreject/new and made the cur and tmp > directories myself. The problem is in permissions. All the > /var/mail/dman/SA**/* directories are dman:mail, 6770. However files > would still be created as mail:mail 0600. Thus my user account > couldn't read them. I've temporarily solved the problem by adjusting > the creat() call to set the perms to 666. =20 I hadn't envisionned that use (i.e. a user, not root, reading the mailboxes) Yeah, the creat call forces the permissions. > I thought making the directory SUID me would force the files to be owned > by me. Nope, it doesn't do that :-) Marc --=20 Microsoft is to operating systems & security .... .... what McDonalds is to gourmet coo= king =20 Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP= key --FCuugMFkClbJLl1L Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBPNl2ln4xUKZ2O+kBAQGcUgQAkreqCulhu0swZa2TjbOP6exIgoUtv1OT tqcQVwfLVRckWgGA5B2IppUfvxn7hR8BFxbbRZN/OjxPUjh7cACLVCftXs5YyhHn npotLQBwZG8Wa6Vy1NFmnCiHc2N2IhZrW6KWmV34HHHXWOv43C0+tUcX3pffB2d/ 4gAsHhNh5JM= =1QHG -----END PGP SIGNATURE----- --FCuugMFkClbJLl1L-- From merlin@merlins.org Wed May 08 16:50:12 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #92 (Debian)) id 175bCF-0002JG-00; Wed, 08 May 2002 16:50:11 -0700 Date: Wed, 8 May 2002 16:50:11 -0700 From: Marc MERLIN To: dman Cc: sa-exim@merlins.org Subject: Re: [SA-exim] Re: feedback: SpamAssassin at SMTP time in local_scan Message-ID: <20020508235011.GC5286@merlins.org> References: <20020506165408.GX29582@merlins.org> <20020507071529.GI29582@merlins.org> <20020508040620.GA5529@dman.ddts.net> <20020508043739.GC23095@merlins.org> <20020508171816.GB14838@dman.ddts.net> <20020508190350.GD32550@merlins.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20020508190350.GD32550@merlins.org> User-Agent: Mutt/1.3.25i X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 2.4.14-lvm1.0.1rc4-ext3-0.9.15-grsec-1.8.8-servers11/Debian woody X-Mailer: Some Outlooks can't quote properly without this header X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b1 Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Wed, 08 May 2002 23:50:12 -0000 On Wed, May 08, 2002 at 12:03:50PM -0700, Marc MERLIN wrote: > > I'm planning on adjusting the logic a bit at some point. My idea is > > to read the first line of output from the program to determine whether > > it passes or fails and to extract the error message from that. The > > rest of the output would be RFC2822 headers to update in the message. > > Obviously 'spamc' would not work as the program in this scenario. My > > reasoning is to generalize it a bit to facilitate writing my own > > scanner that, in addition to delegating to spamc, would check for klez > > and similar junk for immediate rejection. This program, at a minimum, > > would frontend spamc and adapt spamc's output to fit the format (and > > include the logic to determine pass/fail and build the error message). > =20 > Yeah, I've also given some thought into moving my system_filter rejects at > SMTP time. > That said, each of them can be done with a condition statement in the RCPT > or DATA ACL, so they may be better off there. Actually, I was wrong, most of the scans are done on the message body. I don't want to rewrite eximscan inside my code, that said, I don't really care to do actual virus checking either, I'm content doing simple string matches like what we have in system_filter right now. I'll make another version tonight with your mail save idea, and think about what I can reasonably add to do simple matching on the body (anything matching in the headers can be done with "condition" in the exim ACLs) Marc --=20 Microsoft is to operating systems & security .... .... what McDonalds is to gourmet coo= king =20 Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP= key From dman@dman.ddts.net Wed May 08 18:57:29 2002 Received: from [65.107.69.216] (port=40380 helo=dman.ddts.net) by mail2.merlins.org with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 4.04 #92 (Debian)) id 175dBN-0001em-00; Wed, 08 May 2002 18:57:25 -0700 Received: from dman by dman.ddts.net (Exim 4.04 #8 (Debian)) protocol: local id 175dKa-0005bH-00 ; Wed, 08 May 2002 21:06:56 -0500 Date: Wed, 8 May 2002 21:06:56 -0500 From: dman To: Marc MERLIN Cc: sa-exim@merlins.org Message-ID: <20020509020656.GA21468@dman.ddts.net> References: <20020506165408.GX29582@merlins.org> <20020507071529.GI29582@merlins.org> <20020508040620.GA5529@dman.ddts.net> <20020508043739.GC23095@merlins.org> <20020508171816.GB14838@dman.ddts.net> <20020508190350.GD32550@merlins.org> <20020508235011.GC5286@merlins.org> Mime-Version: 1.0 Content-Disposition: inline In-Reply-To: <20020508235011.GC5286@merlins.org> User-Agent: Mutt/1.3.28i X-Operating-System: Debian GNU/Linux X-Kernel-Version: 2.4.18-custom.3 X-Uptime: 21:01:04 up 19 days, 21:42, 5 users, load average: 1.88, 0.78, 0.63 X-Editor: VIM - Vi IMproved 6.1 (2002 Mar 24, compiled Apr 14 2002 20:44:53) Subject: Re: [SA-exim] Re: feedback: SpamAssassin at SMTP time in local_scan Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ew6BAiZeqk4r7MaW" X-Spam-Status: No, hits=-3.6 required=7.0 tests=IN_REP_TO,SIGNATURE_DELIM version=2.20 X-Spam-Level: X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b1 Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Thu, 09 May 2002 01:57:30 -0000 --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 08, 2002 at 04:50:11PM -0700, Marc MERLIN wrote: | On Wed, May 08, 2002 at 12:03:50PM -0700, Marc MERLIN wrote: | > > I'm planning on adjusting the logic a bit at some point. My idea is | > > to read the first line of output from the program to determine whether | > > it passes or fails and to extract the error message from that. The | > > rest of the output would be RFC2822 headers to update in the message. | > > Obviously 'spamc' would not work as the program in this scenario. My | > > reasoning is to generalize it a bit to facilitate writing my own | > > scanner that, in addition to delegating to spamc, would check for klez | > > and similar junk for immediate rejection. This program, at a minimum, | > > would frontend spamc and adapt spamc's output to fit the format (and | > > include the logic to determine pass/fail and build the error message). | > =20 | > Yeah, I've also given some thought into moving my system_filter | > rejects at SMTP time. That said, each of them can be done with a | > condition statement in the RCPT or DATA ACL, so they may be better | > off there. |=20 | Actually, I was wrong, most of the scans are done on the message body. | | I don't want to rewrite eximscan inside my code, that said, I don't rea= lly | care to do actual virus checking either, I'm content doing simple str= ing | matches like what we have in system_filter right now. Same here -- I wasn't intending to attach a real virus scanner. I was merely intending to move the system filter stuff to SMTP time by way of the proposed interface. =20 | I'll make another version tonight with your mail save idea, and think ab= out | what I can reasonably add to do simple matching on the body (anyth= ing | matching in the headers can be done with "condition" in the exim ACLs) Hmm, that's an idea. I reread the ACL part of the spec, and it seems that the system filter can be redone as an acl almost identically, though it makes the text harder to read. I converted most of it to an acl, but didn't test it yet. Anyways, one of the reasons for having the more general external-process interface is to put all of that logic into a separate program. This eliminates the need to rebuild and re-install exim for each change, and allows the tests to be written in a higher-level language than C. =20 -D PS. I'm not getting any messages from the list, only the Cc'd copy. --=20 It took the computational power of three Commodore 64s to fly to the moon. It takes at least a 486 to run Windows 95. Something is wrong here. =20 GnuPG key : http://dman.ddts.net/~dman/public_key.gpg --ew6BAiZeqk4r7MaW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzZ2b8ACgkQO8l8XBKTpRSKSgCggywiOAyU7sBkD9yO8qrznzHw MIMAnA6z7FbaQsAit0sPwaazrO8Ficey =jmrx -----END PGP SIGNATURE----- --ew6BAiZeqk4r7MaW-- From merlin@merlins.org Wed May 08 19:06:30 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #92 (Debian)) id 175dK9-0005cI-00; Wed, 08 May 2002 19:06:29 -0700 Date: Wed, 8 May 2002 19:06:29 -0700 From: Marc MERLIN To: dman Cc: sa-exim@lists.merlins.org Subject: Re: [SA-exim] Re: feedback: SpamAssassin at SMTP time in local_scan Message-ID: <20020509020629.GK5286@merlins.org> References: <20020506165408.GX29582@merlins.org> <20020507071529.GI29582@merlins.org> <20020508040620.GA5529@dman.ddts.net> <20020508043739.GC23095@merlins.org> <20020508171816.GB14838@dman.ddts.net> <20020508190350.GD32550@merlins.org> <20020508235011.GC5286@merlins.org> <20020509020656.GA21468@dman.ddts.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20020509020656.GA21468@dman.ddts.net> User-Agent: Mutt/1.3.25i X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 2.4.14-lvm1.0.1rc4-ext3-0.9.15-grsec-1.8.8-servers11/Debian woody X-Mailer: Some Outlooks can't quote properly without this header X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b1 Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Thu, 09 May 2002 02:06:30 -0000 On Wed, May 08, 2002 at 09:06:56PM -0500, dman wrote: > | I'll make another version tonight with your mail save idea, and think = about > | what I can reasonably add to do simple matching on the body (any= thing > | matching in the headers can be done with "condition" in the exim ACLs) >=20 > Hmm, that's an idea. I reread the ACL part of the spec, and it seems > that the system filter can be redone as an acl almost identically, > though it makes the text harder to read. I converted most of it to an > acl, but didn't test it yet. =20 Can you scan the mail body with condition? =20 > Anyways, one of the reasons for having the more general external-process > interface is to put all of that logic into a separate program. This > eliminates the need to rebuild and re-install exim for each change, and > allows the tests to be written in a higher-level language than C. =20 Yep, but you're probably not going to be happy with the overhead. What we really need is for exim to dynamically load a local_scan.so As for your wish to do more serious modifications, we probably need/want a second hook, after the mail has been accepted, as you mentionned earlier. I think we should wait for Philip to come back, and discuss this with him. =20 > -D >=20 > PS. I'm not getting any messages from the list, only the Cc'd copy. 2002-05-08 18:57:33 175dBT-0002IM-00 =3D> dman@dman.ddts.net F=3D R=3Dlookuphost T=3Dremote_smtp S=3D5623 H= =3Ddman.ddts.net=20 [65.107.69.216] C=3D"250 OK id=3D175dKk-0005bg-00" Marc --=20 Microsoft is to operating systems & security .... .... what McDonalds is to gourmet coo= king =20 Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP= key From dman@dman.ddts.net Wed May 08 20:33:06 2002 Received: from [65.107.69.216] (port=40497 helo=dman.ddts.net) by mail2.merlins.org with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 4.04 #92 (Debian)) id 175efw-000707-00 for ; Wed, 08 May 2002 20:33:04 -0700 Received: from dman by dman.ddts.net (Exim 4.04 #8 (Debian)) protocol: local id 175ep7-0005na-00 for ; Wed, 08 May 2002 22:42:33 -0500 Date: Wed, 8 May 2002 22:42:33 -0500 From: dman To: sa-exim@lists.merlins.org Message-ID: <20020509034232.GA22200@dman.ddts.net> Mail-Followup-To: sa-exim@lists.merlins.org References: <20020506165408.GX29582@merlins.org> <20020507071529.GI29582@merlins.org> <20020508040620.GA5529@dman.ddts.net> <20020508043739.GC23095@merlins.org> <20020508171816.GB14838@dman.ddts.net> <20020508190350.GD32550@merlins.org> <20020508235011.GC5286@merlins.org> <20020509020656.GA21468@dman.ddts.net> <20020509020629.GK5286@merlins.org> Mime-Version: 1.0 Content-Disposition: inline In-Reply-To: <20020509020629.GK5286@merlins.org> User-Agent: Mutt/1.3.28i X-Operating-System: Debian GNU/Linux X-Kernel-Version: 2.4.18-custom.3 X-Uptime: 22:29:22 up 19 days, 23:10, 5 users, load average: 0.03, 0.06, 0.07 X-Editor: VIM - Vi IMproved 6.1 (2002 Mar 24, compiled Apr 14 2002 20:44:53) Subject: Re: [SA-exim] Re: feedback: SpamAssassin at SMTP time in local_scan Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Dxnq1zWXvFF0Q93v" X-Spam-Status: No, hits=-4.0 required=7.0 tests=IN_REP_TO,SIGNATURE_DELIM,SUPERLONG_LINE version=2.20 X-Spam-Level: X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b1 Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Thu, 09 May 2002 03:33:07 -0000 --Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 08, 2002 at 07:06:29PM -0700, Marc MERLIN wrote: | On Wed, May 08, 2002 at 09:06:56PM -0500, dman wrote: | > | I'll make another version tonight with your mail save idea, and thin= k about | > | what I can reasonably add to do simple matching on the body (a= nything | > | matching in the headers can be done with "condition" in the exim ACLs) | >=20 | > Hmm, that's an idea. I reread the ACL part of the spec, and it seems | > that the system filter can be redone as an acl almost identically, | > though it makes the text harder to read. I converted most of it to an | > acl, but didn't test it yet. | =20 | Can you scan the mail body with condition? Untested so far (busy working on a practical joke tonight :-)) : deny condition =3D ${if match {"$message_body $message_body_end"} {"= (?:Content-.*audio/x-wav.*\.(?:pif|exe))|(?:Content-.*audio/x-mid.*\.(?:scr= |exe))|(?:)" log_message =3D "klez (sender: $sender_address) (From: $h_From:= )" message =3D "This message has been rejected because the body co= ntains\ntext that appears to be MIME Content-Type: headers used by KLEZ.\nI= f you intended to send the data then please gzip it and resend it." | > Anyways, one of the reasons for having the more general external-proc= ess | > interface is to put all of that logic into a separate program. T= his | > eliminates the need to rebuild and re-install exim for each change, = and | > allows the tests to be written in a higher-level language than C. | =20 | Yep, but you're probably not going to be happy with the overhead. Maybe. Right now I have substituted /usr/local/bin/mailscanner.py as the "spamc" command. It is=20 #!/usr/bin/python2.2 import sys , os sys.exit( os.system( "/usr/bin/spamc" ) ) Thus it provides the overhead of running python without any additional results. Thus far it really hasn't hurt performance noticeably. The scans are taking between 0 and 4 seconds most of the time and I see no more than 7 seconds right now (though I should make a script to count it). It will all depend on how efficiently the more advanced parsing and logic executes. That can't be determined without a profiler. One of the things this more advanced scanner would do is differentiate between klez and a message on exim-user asking about it. The problem with the match above is it doesn't differentiate between mime headers and the body of the message. I haven't really thought of any features beyond that, but like the flexibility it would provide. | What we really need is for exim to dynamically load a local_scan.so Yes. I'd rather keep the local_scan() simple and put the complexity in a higher-level language. (my preference is python; use perl if you prefer) | As for your wish to do more serious modifications, we probably need/wan= t a | second hook, after the mail has been accepted, as you mentionned earlier. Yeah, that would be where general-purpose mangling (or de-mangling) of messages would fit in best. | I think we should wait for Philip to come back, and discuss this with him. =20 Sure. | > PS. I'm not getting any messages from the list, only the Cc'd copy. |=20 | 2002-05-08 18:57:33 175dBT-0002IM-00 =3D> dman@dman.ddts.net F=3D R=3Dlookuphost T=3Dremote_smtp S=3D5623 H= =3Ddman.ddts.net=20 | [65.107.69.216] C=3D"250 OK id=3D175dKk-0005bg-00" That's the first one that came through. Looks like whatever the problem was it's gone now (maybe because I tried to subscribe again). -D --=20 Who can say, "I have kept my heart pure; I am clean and without sin"? Proverbs 20:9 =20 GnuPG key : http://dman.ddts.net/~dman/public_key.gpg --Dxnq1zWXvFF0Q93v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzZ8CgACgkQO8l8XBKTpRTwBgCeLgRIynRqo7s+VzyS00K+riTt vj0AniY4vuxKiB9EPCzL+b2+4a+y+Il1 =t8jf -----END PGP SIGNATURE----- --Dxnq1zWXvFF0Q93v-- From merlin@merlins.org Wed May 08 23:13:20 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #92 (Debian)) id 175hB2-00076u-00 for ; Wed, 08 May 2002 23:13:20 -0700 Date: Wed, 8 May 2002 23:13:20 -0700 From: Marc MERLIN To: sa-exim@lists.merlins.org Message-ID: <20020509061319.GH16495@merlins.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 2.4.14-lvm1.0.1rc4-ext3-0.9.15-grsec-1.8.8-servers11/Debian woody X-Mailer: Some Outlooks can't quote properly without this header Subject: [SA-exim] SA-Exim 1.1.1 released X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b1 Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Thu, 09 May 2002 06:13:21 -0000 This is a minor improvement suggested by dman 2002/05/08 - v1.1.1 - Added fake envelope from to mails that we save on disk so that they can be opened with MUAs (idea from dman) Available here: http://marc.merlins.org/linux/exim/sa.html (I updated local_scan.c, and the exim package) Marc -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From merlin@merlins.org Tue May 14 08:07:51 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #124 (Debian)) id 177du2-0007Nc-00 for ; Tue, 14 May 2002 08:07:50 -0700 Date: Tue, 14 May 2002 08:07:50 -0700 From: Marc MERLIN To: sa-exim@lists.merlins.org Message-ID: <20020514150750.GH23831@merlins.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 2.4.14-lvm1.0.1rc4-ext3-0.9.15-grsec-1.8.8-servers11/Debian woody X-Mailer: Some Outlooks can't quote properly without this header Subject: [SA-exim] SA-Exim 1.2.1 released X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b1 Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Tue, 14 May 2002 15:07:51 -0000 This fixes a couple of bugs * 2002/05/13 - v1.2,1 o v1.2 (unreleased) didn't work right: it tagged messages properly, but failed to see what was marked as spam and couldn't reject messages. Fixed. o Stripped newlines in header lines (better for logging) o fixed header_add bug if headers contained '%' * 2002/05/12 - v1.2 (unreleased) o According to Craig R Hughes, any X-Spam header can be multiline. Let's parse them accordingly The bugs aren't often occuring, but rewritten headers with a percent sign would make exim unhappy; 2002-05-13 00:12:29 177A0S-0006uz-00 string_format: unsupported type in "% " and SA was recently modified to cut long headers in chunks on several lines. SA-Exim didn't expect that and would then cause part of the headers to end up in the mail body Those two problems should now be fixed, and you can get the new version here: http://marc.merlins.org/linux/exim/sa.html Marc -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From merlin@merlins.org Wed May 15 17:43:38 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #125 (Debian)) id 1789Mn-0004nr-00 for ; Wed, 15 May 2002 17:43:37 -0700 Date: Wed, 15 May 2002 17:43:37 -0700 From: Marc MERLIN To: sa-exim@lists.merlins.org Message-ID: <20020516004336.GG29664@merlins.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 2.4.14-lvm1.0.1rc4-ext3-0.9.15-grsec-1.8.8-servers11/Debian woody X-Mailer: Some Outlooks can't quote properly without this header Subject: [SA-exim] Heads up on current releases X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b1 Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Thu, 16 May 2002 00:43:39 -0000 Hi, Just a heads up if you are using sa-exim on your mail server: I've seen at least two instances where something weird happened One mail ended up in my mailbox like this: Subject: Re: Thanks for the mixesContent-Type: text/plain; charset=us-asciiX-Spam-Status: No, hits=-4.4 required=1.0 tests=IN_REP_TO version=2.20X-Spam-Level: I haven't yet found what triggers this, but I recommend you set your debugging level to 6 so that you get a good debug trace should this ever happen to you (only happened once to me in 1000 mails/day or so) Note that it's not a critical bug, it's trivial to fix the Email, and nothing is lost. It's just something that shouldn't happen :-) I have full debugging turned on on my server, but this hasn't happened again, so I may not be able to fix this right away If you do see something like this, please report it to me (and the appropriate debug lines would be greatly appreciated :-D) Thanks Marc -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From merlin@merlins.org Sun May 19 17:48:55 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #136 (Debian)) id 179bM7-0005J6-00 for ; Sun, 19 May 2002 17:48:55 -0700 Date: Sun, 19 May 2002 17:48:55 -0700 From: Marc MERLIN To: sa-exim@lists.merlins.org Message-ID: <20020520004855.GK716@merlins.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 2.4.14-lvm1.0.1rc4-ext3-0.9.15-grsec-1.8.8-servers11/Debian woody X-Mailer: Some Outlooks can't quote properly without this header Subject: [SA-exim] SA-Exim 1.2.2 Released X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Mon, 20 May 2002 00:48:56 -0000 Ok, good news: The problems that I suspected with version 1.2.1 weren't there. The header corruption that I very occasionally experienced was due to people using outlook (duh!) which created an invalid references header, which in turn upset mailman. So, if you were running in full debugging mode, you that probably set it back to 1 or 0. I just released 1.2.2 which outside of two very minor code cleanups takes care of actually remembering spamassassin.conf values across calls. Because exim spawns itself, each instance of exim will have to re-read the config file, but once it's read it, it's able to keep the options in memory if it gets called again before it exits. As usually, it's all here: http://marc.merlins.org/linux/exim/sa.html The binaries I compiled (debian packages in the files/ directory) also contain my improved error message & postmaster callback patch that you can find here: http://marc.merlins.org/linux/exim/ I think I'll leave the code alone now (barring any bugs that you or I might find), and I have several plans on improving SpamAssassin itself so that it's more suited to running quickly at SMTP time. Marc -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From dman@dman.ddts.net Mon May 20 20:53:13 2002 Received: from [65.107.69.216] (port=52371 helo=dman.ddts.net) by mail2.merlins.org with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 4.04 #136 (Debian)) id 17A0hz-0001aj-00 for ; Mon, 20 May 2002 20:53:11 -0700 Received: from dman by dman.ddts.net (Exim 4.04 #8 (Debian)) protocol: local id 17A0qS-0005N3-00 for ; Mon, 20 May 2002 23:01:56 -0500 Date: Mon, 20 May 2002 23:01:56 -0500 From: dman To: sa-exim@lists.merlins.org Message-ID: <20020521040156.GA20327@dman.ddts.net> Mail-Followup-To: sa-exim@lists.merlins.org Mime-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.3.28i X-Operating-System: Debian GNU/Linux X-Kernel-Version: 2.4.18-custom.3 X-Uptime: 22:22:29 up 9 days, 6:40, 5 users, load average: 1.57, 3.36, 4.41 X-Editor: VIM - Vi IMproved 6.1 (2002 Mar 24, compiled Apr 14 2002 20:44:53) Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" X-Spam-Status: No, hits=-99.2 required=7.0 tests=SIGNATURE_DELIM,USER_IN_ALL_SPAM_TO version=2.20 X-Spam-Level: Subject: [SA-exim] exim processes stuck using the CPU X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Tue, 21 May 2002 03:53:13 -0000 --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I've got exim 4.04 with Marc Merlin's local_scan() function (v 1.1). The system is Linux 2.4.18 and is using an IDE disk with ext3 filesystem. Tonight I found 5 exim processes each consuming as much CPU time as possible. Connecting to each one with gdb showed the following backtrace : #0 0x40271c9c in _IO_un_link () from /lib/libc.so.6 #1 0x402680cf in fclose () from /lib/libc.so.6 #2 0x0807731e in receive_msg () #3 0x0804d98c in handle_smtp_call () #4 0x0804ec65 in daemon_go () #5 0x0805c913 in main () #6 0x4022014f in __libc_start_main () from /lib/libc.so.6 Looking at the spool I see lots of duplicate -D files and no corresponding -H file. The only interesting thing about the messages is that the 3 of them are all in a single thread from a certain mailing list. These files are dated from May 14 through May 20 (today). The 5 running processes each have a different file open in the SAdevnull directory. Each of those files are for the exact same (stock quote) spam messaged from an excite.com address. This almost looks like a libc problem, but could it be caused by a race condition of some sort since it seems related to the local_scan's saving of the message? TIA, -D --=20 Dishonest money dwindles away, but he who gathers money little by little makes it grow. Proverbs 13:11 =20 GnuPG key : http://dman.ddts.net/~dman/public_key.gpg --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzpxrQACgkQO8l8XBKTpRRr/gCgmQ91YraDdZl5Y79rRc9QRHV7 tRUAnRTrH63WacNS4o4nzsfmvIz2QZJd =FBsZ -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA-- From merlin@merlins.org Tue May 21 00:12:41 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #136 (Debian)) id 17A3p2-0005YF-00 for ; Tue, 21 May 2002 00:12:40 -0700 Date: Tue, 21 May 2002 00:12:40 -0700 From: Marc MERLIN To: sa-exim@lists.merlins.org Subject: Re: [SA-exim] exim processes stuck using the CPU -> v1.3 released Message-ID: <20020521071240.GA21151@merlins.org> References: <20020521040156.GA20327@dman.ddts.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020521040156.GA20327@dman.ddts.net> User-Agent: Mutt/1.3.28i X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 2.4.14-lvm1.0.1rc4-ext3-0.9.15-grsec-1.8.8-servers11/Debian woody X-Mailer: Some Outlooks can't quote properly without this header X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Tue, 21 May 2002 07:12:41 -0000 On Mon, May 20, 2002 at 11:01:56PM -0500, dman wrote: > I've got exim 4.04 with Marc Merlin's local_scan() function (v 1.1). Note that you will have problems (very occasionally) with anything less than version 1.2.1, since it doesn't parse multiline headers correctly when they come from SA (I wasn't expecting any, but the SA code has apparently been changed to generate some now) > The system is Linux 2.4.18 and is using an IDE disk with ext3 > filesystem. Tonight I found 5 exim processes each consuming as much > CPU time as possible. Connecting to each one with gdb showed the > following backtrace : > > #0 0x40271c9c in _IO_un_link () from /lib/libc.so.6 > #1 0x402680cf in fclose () from /lib/libc.so.6 Mmmh, so there is a problem while removing messages on disk. How weird. > The 5 running processes each have a different file open in the > SAdevnull directory. Each of those files are for the exact same > (stock quote) spam messaged from an excite.com address. Mmmh, they shouldn't. Once the spam is written on disk, the FH should be closed. Ah, yeah, I didn't close the file myself in the code (small oversight), it only got closed when the process exited. It shouldn't be fatal, but it's not great either, and might somehow be causing the problem you see. This is something that should be fixed though, so I've just released v1.3 http://marc.merlins.org/linux/exim/sa.html Marc -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From dman@dman.ddts.net Tue May 21 05:57:33 2002 Received: from [65.107.69.216] (port=52921 helo=dman.ddts.net) by mail2.merlins.org with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 4.04 #137 (Debian)) id 17A9Cl-0002CS-00 for ; Tue, 21 May 2002 05:57:31 -0700 Received: from dman by dman.ddts.net (Exim 4.04 #9 (Debian)) protocol: local id 17A9LH-0006No-00 for ; Tue, 21 May 2002 08:06:19 -0500 Date: Tue, 21 May 2002 08:06:19 -0500 From: dman To: sa-exim@lists.merlins.org Message-ID: <20020521130619.GA23475@dman.ddts.net> Mail-Followup-To: sa-exim@lists.merlins.org References: <20020521040156.GA20327@dman.ddts.net> <20020521071240.GA21151@merlins.org> Mime-Version: 1.0 Content-Disposition: inline In-Reply-To: <20020521071240.GA21151@merlins.org> User-Agent: Mutt/1.3.28i X-Operating-System: Debian GNU/Linux X-Kernel-Version: 2.4.18-custom.3 X-Uptime: 07:50:26 up 9 days, 16:08, 5 users, load average: 5.73, 5.45, 4.95 X-Editor: VIM - Vi IMproved 6.1 (2002 Mar 24, compiled Apr 14 2002 20:44:53) Subject: Re: [SA-exim] exim processes stuck using the CPU -> v1.3 released Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="M9NhX3UHpAaciwkO" X-Spam-Status: No, hits=-103.6 required=7.0 tests=IN_REP_TO,SIGNATURE_DELIM,USER_IN_ALL_SPAM_TO version=2.20 X-Spam-Level: X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Tue, 21 May 2002 12:57:33 -0000 --M9NhX3UHpAaciwkO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 21, 2002 at 12:12:40AM -0700, Marc MERLIN wrote: | On Mon, May 20, 2002 at 11:01:56PM -0500, dman wrote: | > I've got exim 4.04 with Marc Merlin's local_scan() function (v 1.1). |=20 | Note that you will have problems (very occasionally) with anything less t= han | version 1.2.1, since it doesn't parse multiline headers correctly when th= ey | come from SA (I wasn't expecting any, but the SA code has apparently been | changed to generate some now) Yeah, I just hadn't made any changes to my system yet. =20 | > The system is Linux 2.4.18 and is using an IDE disk with ext3 | > filesystem. Tonight I found 5 exim processes each consuming as much | > CPU time as possible. Connecting to each one with gdb showed the | > following backtrace : | >=20 | > #0 0x40271c9c in _IO_un_link () from /lib/libc.so.6 | > #1 0x402680cf in fclose () from /lib/libc.so.6 |=20 | Mmmh, so there is a problem while removing messages on disk. How weird. Yeah, that's what makes me think it might be a libc problem. The processes use as much CPU as the scheduler will give them. (fortunately the scheduler is rather decent so the system stayed alive :-)) =20 | > The 5 running processes each have a different file open in the | > SAdevnull directory. Each of those files are for the exact same | > (stock quote) spam messaged from an excite.com address. | =20 | Mmmh, they shouldn't. Once the spam is written on disk, the FH should be | closed. | Ah, yeah, I didn't close the file myself in the code (small oversight), it | only got closed when the process exited. | It shouldn't be fatal, but it's not great either, and might somehow= be | causing the problem you see. | =20 | This is something that should be fixed though, so I've just released v1.3 | http://marc.merlins.org/linux/exim/sa.html I just upgraded. We'll see if the problem comes back. I should see the message again because I think exim doesn't give back the 250 response (I got 4 more copies this morning before I got up). -D --=20 Emacs is a nice operating system, it lacks a decent editor though =20 GnuPG key : http://dman.ddts.net/~dman/public_key.gpg --M9NhX3UHpAaciwkO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzqRksACgkQO8l8XBKTpRQmvQCgnyPi2GSY3GAbr/C8j3Je2gzX UcYAoKdmB4GuO8FojkwlECUTKEd8kzR+ =CDO+ -----END PGP SIGNATURE----- --M9NhX3UHpAaciwkO-- From pfournier@loups.net Mon May 27 19:43:15 2002 Received: from sabius.net ([216.187.105.31]:46647 helo=mail.sabius.net) by mail2.merlins.org with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 4.04 #137 (Debian)) id 17CWx5-0000Wp-00 for ; Mon, 27 May 2002 19:43:11 -0700 Received: from amavis by mail.sabius.net with scanned-ok (Exim 4.04) id 17CWwx-0004Y4-00 for sa-exim@lists.merlins.org; Mon, 27 May 2002 22:43:03 -0400 Received: from www-data by mail.sabius.net with local (Exim 4.04) id 17CWww-0004Xv-00 for sa-exim@lists.merlins.org; Mon, 27 May 2002 22:43:02 -0400 Received: from modemcable175.76-130-66.mtl.mc.videotron.ca ( [modemcable175.76-130-66.mtl.mc.videotron.ca]) as user patrice@loups.net by www.courrier.sabius.net with HTTP; Mon, 27 May 2002 22:43:02 -0400 Message-ID: <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> Date: Mon, 27 May 2002 22:43:02 -0400 From: Patrice Fournier To: sa-exim@lists.merlins.org MIME-Version: 1.0 User-Agent: Internet Messaging Program (IMP) 3.1 X-Originating-IP: 66.130.76.175 X-Virus-Scanned: by AMaViS 0.3.12pre6 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Spam-Status: No, hits=-98.8 required=7.0 tests=USER_IN_ALL_SPAM_TO,MSG_ID_ADDED_BY_MTA_3 version=2.21 X-Spam-Level: Subject: [SA-exim] small requests X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Tue, 28 May 2002 02:43:15 -0000 Hi, I finally installed SA-exim. Now, it seems to work great (we'll see in the next couple of days! :) ). Here are some enhancements I'd like to see: - SA-exim should create the required directories (SApermreject, ...) when it has the rights to OR it should be written in the config file that the directory must already exist. Now, here's the reason for this mail: - Should log rejects in the rejectlog as well as in the mainlog. - When rejecting mail, should (be able to) log the connected host IP and the sender and recipients addresses as Exim won't do it. I think there was something else, but I'll have to write again if I ever remember what it was. :) Thanks, -- Patrice Fournier pfournier@loups.net From pfournier@loups.net Mon May 27 22:53:42 2002 Received: from sabius.net ([216.187.105.31]:47637 helo=mail.sabius.net) by mail2.merlins.org with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 4.04 #137 (Debian)) id 17CZvO-0008Jy-00 for ; Mon, 27 May 2002 22:53:39 -0700 Received: from amavis by mail.sabius.net with scanned-ok (Exim 4.04) id 17CZvK-0004yM-00 for sa-exim@lists.merlins.org; Tue, 28 May 2002 01:53:34 -0400 Received: from www-data by mail.sabius.net with local (Exim 4.04) id 17CZvJ-0004yD-00 for sa-exim@lists.merlins.org; Tue, 28 May 2002 01:53:33 -0400 Received: from modemcable175.76-130-66.mtl.mc.videotron.ca ( [modemcable175.76-130-66.mtl.mc.videotron.ca]) as user patrice@loups.net by www.courrier.sabius.net with HTTP; Tue, 28 May 2002 01:53:33 -0400 Message-ID: <1022565213.3cf31b5da71d7@www.courrier.sabius.net> Date: Tue, 28 May 2002 01:53:33 -0400 From: Patrice Fournier To: sa-exim@lists.merlins.org References: <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> In-Reply-To: <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> MIME-Version: 1.0 User-Agent: Internet Messaging Program (IMP) 3.1 X-Originating-IP: 66.130.76.175 X-Virus-Scanned: by AMaViS 0.3.12pre6 Subject: Re: [SA-exim] small requests Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Spam-Status: No, hits=-103.2 required=7.0 tests=IN_REP_TO,MSG_ID_ADDED_BY_MTA_3,USER_IN_ALL_SPAM_TO version=2.21 X-Spam-Level: X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Tue, 28 May 2002 05:53:42 -0000 Quoting Patrice Fournier : > - Should log rejects in the rejectlog as well as in the mainlog. Ok, it seems I have been mistaken here, when I looked at my rejectlog after having turned off debuging in sa-exim and sent a new test spam message to myself, I noticed that the last couple of lines in the rejectlog were the headers of the spam test I was using which I thought were written when in debug mode and thought the reject message was not written in the log file. (it was burried somewhere between the hundreds of header lines and I missed it). So anyway, I did a quick scan of local_scan.c and couldn't find where this was written to log, do you get the complete (new) headers in exim spool format of a spam in rejectlog when there is a permreject? How would one disable this? I suppose this is not intended behaviour, and if I'm the only one who gets this, I'll try to debug it, but I probably won't have time to do it this week. It may be due to my log selection in Exim: log_selector = +smtp_protocol_error +smtp_syntax_error -retry_defer Thanks, -- Patrice Fournier pfournier@loups.net From dman@dman.ddts.net Tue May 28 08:44:37 2002 Received: from [65.107.69.216] (port=54273 helo=dman.ddts.net) by mail2.merlins.org with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 4.04 #137 (Debian)) id 17Cj9F-0000MF-00 for ; Tue, 28 May 2002 08:44:33 -0700 Received: from dman by dman.ddts.net (Exim 4.04 #10 (Debian)) protocol: local id 17CjIL-0006nU-00 for ; Tue, 28 May 2002 10:53:57 -0500 Date: Tue, 28 May 2002 10:53:57 -0500 From: dman To: sa-exim@lists.merlins.org Message-ID: <20020528155357.GA26083@dman.ddts.net> Mail-Followup-To: sa-exim@lists.merlins.org References: <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <1022565213.3cf31b5da71d7@www.courrier.sabius.net> Mime-Version: 1.0 Content-Disposition: inline In-Reply-To: <1022565213.3cf31b5da71d7@www.courrier.sabius.net> User-Agent: Mutt/1.3.28i X-Operating-System: Debian GNU/Linux X-Kernel-Version: 2.4.18-custom.3 X-Uptime: 10:49:19 up 16 days, 19:07, 3 users, load average: 0.02, 0.04, 0.01 X-Editor: VIM - Vi IMproved 6.1 (2002 Mar 24, compiled May 4 2002 18:34:55) Subject: Re: [SA-exim] small requests Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3MwIy2ne0vdjdPXF" X-Spam-Status: No, hits=-103.1 required=7.0 tests=IN_REP_TO,FROM_NAME_NO_SPACES,SIGNATURE_DELIM,USER_IN_ALL_SPAM_TO version=2.21 X-Spam-Level: X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Tue, 28 May 2002 15:44:37 -0000 --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 28, 2002 at 01:53:33AM -0400, Patrice Fournier wrote: | Quoting Patrice Fournier : |=20 | > - Should log rejects in the rejectlog as well as in the mainlog. |=20 | Ok, it seems I have been mistaken here, when I looked at my rejectlog=20 | after having turned off debuging in sa-exim and sent a new test spam=20 | message to myself, I noticed that the last couple of lines in the=20 | rejectlog were the headers of the spam test I was using which I thought= =20 | were written when in debug mode and thought the reject message was not=20 | written in the log file. (it was burried somewhere between the hundreds o= f=20 | header lines and I missed it).=20 |=20 | So anyway, I did a quick scan of local_scan.c and couldn't find where thi= s=20 | was written to log, do you get the complete (new) headers in exim spool= =20 | format of a spam in rejectlog when there is a permreject? When local_scan returns LOCAL_SCAN_REJECT, exim logs the message in rejectlog. The SA headers are present because Marc added them to the message before returning the reject code. | How would one disable this?=20 I don't know if it can be disabled without rewriting (part of) exim. HTH, -D --=20 The crucible for silver and the furnace for gold, but the Lord tests the heart. Proverbs 17:3 =20 GnuPG key : http://dman.ddts.net/~dman/public_key.gpg --3MwIy2ne0vdjdPXF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjzzqBUACgkQO8l8XBKTpRSi7gCfcdkeMZvW4wdw+ZGbBb1RkOxW UXQAn0sOpOh4dhvn/0I5ThJTFiAmMlxh =pTIz -----END PGP SIGNATURE----- --3MwIy2ne0vdjdPXF-- From merlin@merlins.org Tue May 28 22:53:45 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #137 (Debian)) id 17CwP3-0004BQ-00; Tue, 28 May 2002 22:53:45 -0700 Date: Tue, 28 May 2002 22:53:44 -0700 From: Marc MERLIN To: Patrice Fournier , sa-exim@lists.merlins.org Subject: Re: [SA-exim] small requests Message-ID: <20020529055344.GY22319@merlins.org> References: <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <1022565213.3cf31b5da71d7@www.courrier.sabius.net> <20020528155357.GA26083@dman.ddts.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <1022565213.3cf31b5da71d7@www.courrier.sabius.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020528155357.GA26083@dman.ddts.net> <1022565213.3cf31b5da71d7@www.courrier.sabius.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> User-Agent: Mutt/1.3.28i X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 2.4.14-lvm1.0.1rc4-ext3-0.9.15-grsec-1.8.8-servers11/Debian woody X-Mailer: Some Outlooks can't quote properly without this header X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Wed, 29 May 2002 05:53:45 -0000 On Mon, May 27, 2002 at 10:43:02PM -0400, Patrice Fournier wrote: > Hi, > > I finally installed SA-exim. Now, it seems to work great (we'll see in the > next couple of days! :) ). Here are some enhancements I'd like to see: Welcome to the club Patrice :-) > - SA-exim should create the required directories (SApermreject, ...) when > it has the rights to OR it should be written in the config file that the > directory must already exist. Mmmh, it's actually hard. The reason is that it runs as UID/GID mail or exim or whatever, and that user is typically not allowed to create directories in /var/spool > Now, here's the reason for this mail: > > - Should log rejects in the rejectlog as well as in the mainlog. Yep, does that :) > - When rejecting mail, should (be able to) log the connected host IP and > the sender and recipients addresses as Exim won't do it. Mmmh, I'll add that to the wishlist. Mainlog, rejectlog or both? On Tue, May 28, 2002 at 01:53:33AM -0400, Patrice Fournier wrote: > So anyway, I did a quick scan of local_scan.c and couldn't find where this > was written to log, do you get the complete (new) headers in exim spool > format of a spam in rejectlog when there is a permreject? How would one > disable this? See the bottom of the code /* To ask Philip: 1) read/use return_text on 2xx 2) optional LOCAL_SCAN_REJECT without triggering a full dump of the rejected headers so that I can return a different message than what I log 3) I need to return '\n' in return_text, but it gets logged, and log_write isn't supposed to get newlines... See #2 */ When I return LOCAL_SCAN_REJECT, exim dumps the message. I can't turn it off or control it. On Tue, May 28, 2002 at 10:53:57AM -0500, dman wrote: > When local_scan returns LOCAL_SCAN_REJECT, exim logs the message in > rejectlog. The SA headers are present because Marc added them to the > message before returning the reject code. > > | How would one disable this? > > I don't know if it can be disabled without rewriting (part of) exim. Yep. Thanks for helping dman :-) Marc -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From pfournier@loups.net Wed May 29 14:26:53 2002 Received: from sabius.net ([216.187.105.31]:33103 helo=mail.sabius.net) by mail2.merlins.org with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 4.04 #137 (Debian)) id 17DAxv-0000Lj-00 for ; Wed, 29 May 2002 14:26:43 -0700 Received: from amavis by mail.sabius.net with scanned-ok (Exim 4.04) id 17DAxk-0002j2-00; Wed, 29 May 2002 17:26:32 -0400 Received: from www-data by mail.sabius.net with local (Exim 4.04) id 17DAxj-0002it-00; Wed, 29 May 2002 17:26:31 -0400 Received: from mon-pq55-111.netcom.ca ( [mon-pq55-111.netcom.ca]) as user patrice@loups.net by www.courrier.sabius.net with HTTP; Wed, 29 May 2002 17:26:31 -0400 Message-ID: <1022707591.3cf54787b5b45@www.courrier.sabius.net> Date: Wed, 29 May 2002 17:26:31 -0400 From: Patrice Fournier To: Marc MERLIN Cc: sa-exim@lists.merlins.org References: <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <1022565213.3cf31b5da71d7@www.courrier.sabius.net> <20020528155357.GA26083@dman.ddts.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <1022565213.3cf31b5da71d7@www.courrier.sabius.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <20020529055344.GY22319@merlins.org> In-Reply-To: <20020529055344.GY22319@merlins.org> MIME-Version: 1.0 User-Agent: Internet Messaging Program (IMP) 3.1 X-Originating-IP: 216.123.133.239 X-Virus-Scanned: by AMaViS 0.3.12pre6 Subject: Re: [SA-exim] small requests Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Spam-Status: No, hits=-103.2 required=7.0 tests=IN_REP_TO,MSG_ID_ADDED_BY_MTA_3,USER_IN_ALL_SPAM_TO version=2.21 X-Spam-Level: X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Wed, 29 May 2002 21:26:54 -0000 Quoting Marc MERLIN : > On Mon, May 27, 2002 at 10:43:02PM -0400, Patrice Fournier wrote: > Welcome to the club Patrice :-) Thanks! :) > > - SA-exim should create the required directories (SApermreject, ...) > > when it has the rights to OR it should be written in the config file > > that the directory must already exist. > > Mmmh, it's actually hard. > The reason is that it runs as UID/GID mail or exim or whatever, and > that user is typically not allowed to create directories in /var/spool should be allowed to create directories in /var/spool/exim which is the where they are when using your example config file... > > - When rejecting mail, should (be able to) log the connected host IP > > and the sender and recipients addresses as Exim won't do it. > > Mmmh, I'll add that to the wishlist. > Mainlog, rejectlog or both? I'd say both if we want to be consistent with how other rejects are logged in Exim. > On Tue, May 28, 2002 at 01:53:33AM -0400, Patrice Fournier wrote: > > So anyway, I did a quick scan of local_scan.c and couldn't find where > > this was written to log, do you get the complete (new) headers in exim > > spool format of a spam in rejectlog when there is a permreject? How > > would one disable this? > > See the bottom of the code Thanks, I see it now.. When I read those comments before, I didn't understood the second one to mean this... Now, something new in this email: I'd also like to have an option to save messages that are tagged as spam but still let through. I know I could just set a router to do this, but I'd prefer to keep the spam settings in sa-exim. -- Patrice Fournier pfournier@loups.net From CColes@keylabs.com Wed May 29 15:48:36 2002 Received: from [216.119.207.251] (port=47351 helo=ms01.keylabs.com) by mail2.merlins.org with esmtp (Exim 4.04 #137 (Debian)) id 17DCF7-0002WY-00 for ; Wed, 29 May 2002 15:48:34 -0700 Received: by MS01 with Internet Mail Service (5.5.2653.19) id ; Wed, 29 May 2002 16:44:46 -0600 Message-ID: <0FE563CEB3B3D51185CB00508B667DEE59E059@MS01> From: Craig Coles To: sa-exim@lists.merlins.org Date: Wed, 29 May 2002 16:44:38 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" X-Spam-Status: No, hits=-100.0 required=7.0 tests=USER_IN_ALL_SPAM_TO version=2.21 X-Spam-Level: Subject: [SA-exim] PermReject X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Wed, 29 May 2002 22:48:36 -0000 I've been running SA-Exim now for maybe a week, and have already got most of the company sold on the features!! I am currently devnulling above 18 and have been trying to do a permreject at 20 or above, however I see in the logs that the messages are 'silently tossed' according to the devnull rule of 18. I can't see where the permreject rule is being referenced. Have I missed something to enable it? (yes the SApermreject: 20 line is enabled...) While I am at it... I've got another question about whitelisting. I am running Debian and have installed Spamassasin as a package. This set up some default rules in /etc/mail, one of which is for whitelisting. Is it possible to do a 'whitelist_to' for a few of my users that think that an automated process is not capable of determining that mail is SPAM!?? I would love to turn loose all the SPAM for them without any filtering at all, but not the rest of the company, and then we will see how the like making all their own decisions... Thanks, -Craig From dman@dman.ddts.net Wed May 29 16:04:08 2002 Received: from [65.107.69.216] (port=36446 helo=dman.ddts.net) by mail2.merlins.org with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 4.04 #137 (Debian)) id 17DCU7-0005xE-00 for ; Wed, 29 May 2002 16:04:04 -0700 Received: from dman by dman.ddts.net (Exim 4.04 #10 (Debian)) protocol: local id 17DCdN-0008P4-00 for ; Wed, 29 May 2002 18:13:37 -0500 Date: Wed, 29 May 2002 18:13:37 -0500 From: dman To: sa-exim@lists.merlins.org Message-ID: <20020529231337.GA32270@dman.ddts.net> Mail-Followup-To: sa-exim@lists.merlins.org References: <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <1022565213.3cf31b5da71d7@www.courrier.sabius.net> <20020528155357.GA26083@dman.ddts.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <1022565213.3cf31b5da71d7@www.courrier.sabius.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <20020529055344.GY22319@merlins.org> <1022707591.3cf54787b5b45@www.courrier.sabius.net> Mime-Version: 1.0 Content-Disposition: inline In-Reply-To: <1022707591.3cf54787b5b45@www.courrier.sabius.net> User-Agent: Mutt/1.3.28i X-Operating-System: Debian GNU/Linux X-Kernel-Version: 2.4.18-custom.3 X-Uptime: 18:11:23 up 18 days, 2:29, 9 users, load average: 0.23, 0.15, 0.07 X-Editor: VIM - Vi IMproved 6.1 (2002 Mar 24, compiled May 4 2002 18:34:55) Subject: Re: [SA-exim] small requests Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" X-Spam-Status: No, hits=-103.1 required=7.0 tests=IN_REP_TO,FROM_NAME_NO_SPACES,SIGNATURE_DELIM,USER_IN_ALL_SPAM_TO version=2.21 X-Spam-Level: X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Wed, 29 May 2002 23:04:09 -0000 --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 29, 2002 at 05:26:31PM -0400, Patrice Fournier wrote: | Now, something new in this email: |=20 | I'd also like to have an option to save messages that are tagged as spam | but still let through. I know I could just set a router to do this, but I= 'd | prefer to keep the spam settings in sa-exim. You can set the sa-exim threshold to be higher than SA's threshold. The messages will be tagged if they exceed SA's threshhold, but will only be rejected if they exceed sa-exim's threshold. -D --=20 The heart is deceitful above all things and beyond cure. Who can understand it? I the Lord search the heart and examine the mind, to reward a man according to his conduct, according to what his deeds deserve. Jeremiah 17:9-10 =20 GnuPG key : http://dman.ddts.net/~dman/public_key.gpg --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjz1YKEACgkQO8l8XBKTpRRCugCcCWQk6JrIef+vo7O5B317F3fK WyQAnA9L2wlgqkqiFgV7nukzDLtB/Dae =yKIv -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- From dman@dman.ddts.net Wed May 29 16:12:03 2002 Received: from [65.107.69.216] (port=36460 helo=dman.ddts.net) by mail2.merlins.org with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 4.04 #137 (Debian)) id 17DCbn-0004UH-00 for ; Wed, 29 May 2002 16:12:00 -0700 Received: from dman by dman.ddts.net (Exim 4.04 #10 (Debian)) protocol: local id 17DCl0-0008QZ-00 for ; Wed, 29 May 2002 18:21:30 -0500 Date: Wed, 29 May 2002 18:21:30 -0500 From: dman To: sa-exim@lists.merlins.org Message-ID: <20020529232130.GB32270@dman.ddts.net> Mail-Followup-To: sa-exim@lists.merlins.org References: <0FE563CEB3B3D51185CB00508B667DEE59E059@MS01> Mime-Version: 1.0 Content-Disposition: inline In-Reply-To: <0FE563CEB3B3D51185CB00508B667DEE59E059@MS01> User-Agent: Mutt/1.3.28i X-Operating-System: Debian GNU/Linux X-Kernel-Version: 2.4.18-custom.3 X-Uptime: 18:11:23 up 18 days, 2:29, 9 users, load average: 0.23, 0.15, 0.07 X-Editor: VIM - Vi IMproved 6.1 (2002 Mar 24, compiled May 4 2002 18:34:55) Subject: Re: [SA-exim] PermReject Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jq0ap7NbKX2Kqbes" X-Spam-Status: No, hits=-103.1 required=7.0 tests=IN_REP_TO,FROM_NAME_NO_SPACES,SIGNATURE_DELIM,USER_IN_ALL_SPAM_TO version=2.21 X-Spam-Level: X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Wed, 29 May 2002 23:12:03 -0000 --jq0ap7NbKX2Kqbes Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 29, 2002 at 04:44:38PM -0600, Craig Coles wrote: | I've been running SA-Exim now for maybe a week, and have already got most= of | the company sold on the features!! |=20 | I am currently devnulling above 18 and have been trying to do a permreject | at 20 or above, however I see in the logs that the messages are 'silently | tossed' according to the devnull rule of 18. I can't see where the | permreject rule is being referenced. Have I missed something to enable i= t? | (yes the SApermreject: 20 line is enabled...) That isn't possible as the code is right now. The relevant section begins on line 729 (version 1.3) (snipped for clarity) : if (spamvalue > SAdevnull) { recipients_count=3D0; return LOCAL_SCAN_ACCEPT; } else if (spamvalue > SApermreject) { return LOCAL_SCAN_REJECT; } ... You can't accept (SAdevnull) and reject (SApermreject) the same message. The code, right now, checks blackholing first, and since all messages scoring >=3D 20 also score >=3D 18 it is blackholed. If you want to reverse the order of the tests, for your site, you can do that. =20 | While I am at it... I've got another question about whitelisting. I am | running Debian and have installed Spamassasin as a package. This set up | some default rules in /etc/mail, one of which is for whitelisting. Is it | possible to do a 'whitelist_to' for a few of my users that think that an | automated process is not capable of determining that mail is SPAM!?? I | would love to turn loose all the SPAM for them without any filtering at a= ll, | but not the rest of the company, and then we will see how the like making | all their own decisions... Put those user's local parts in /etc/exim/sa_skip (lsearch format). In the SAEximRunCond setting include something like this : SAEximRunCond: ${lookup {$local_part} lsearch {/etc/exim/sa_skip} {0}{1}} If that condition yields "false" then sa-exim will accept the message and not even run SA. -D --=20 Emacs is a nice operating system, it lacks a decent editor though =20 GnuPG key : http://dman.ddts.net/~dman/public_key.gpg --jq0ap7NbKX2Kqbes Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjz1YnoACgkQO8l8XBKTpRRSLACglAu7gBzsq+aKN35NlcwK4ALu fZYAoImgzcT8uuAhgMQ2l7rTwP3X4zR6 =5kRs -----END PGP SIGNATURE----- --jq0ap7NbKX2Kqbes-- From merlin@merlins.org Wed May 29 17:14:34 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #137 (Debian)) id 17DDaL-0006m3-00 for ; Wed, 29 May 2002 17:14:33 -0700 Date: Wed, 29 May 2002 17:14:33 -0700 From: Marc MERLIN To: sa-exim@lists.merlins.org Subject: Re: [SA-exim] PermReject Message-ID: <20020530001433.GB16325@merlins.org> References: <0FE563CEB3B3D51185CB00508B667DEE59E059@MS01> <20020529232130.GB32270@dman.ddts.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline In-Reply-To: <20020529232130.GB32270@dman.ddts.net> User-Agent: Mutt/1.3.28i X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 2.4.14-lvm1.0.1rc4-ext3-0.9.15-grsec-1.8.8-servers11/Debian woody X-Mailer: Some Outlooks can't quote properly without this header X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Thu, 30 May 2002 00:14:34 -0000 --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 29, 2002 at 06:21:30PM -0500, dman wrote: > | I am currently devnulling above 18 and have been trying to do a permrej= ect > | at 20 or above, however I see in the logs that the messages are 'silent= ly > | tossed' according to the devnull rule of 18. I can't see where the > | permreject rule is being referenced. Have I missed something to enable= it? > | (yes the SApermreject: 20 line is enabled...) >=20 > That isn't possible as the code is right now. The relevant section > begins on line 729 (version 1.3) (snipped for clarity) : =20 Eheh, you're hired :-) dman is perfectly right. spamassassin.conf says: # If you reach this score, the mail is accepted and tossed (/dev/nulled) # The default value is 99999 which should ensure this never happens. # You should be real sure that the message is spam because the sender will # get no notification #SAdevnull: 20.0 In other words, you can't reject for a higher score than you devnull. Quite frankly, I don't see why you would want to. The way I see it, you reject if you reach a certain score, and at least give the chance for the sender to know his mail wasn't received, but for things where you're even more sure it's spam, you _could_ just toss it. I believe it is an evil thing to do and don't do it myself, but I did provide the rope :-) > message. The code, right now, checks blackholing first, and since all > messages scoring >=3D 20 also score >=3D 18 it is blackholed. If you want > to reverse the order of the tests, for your site, you can do that. =20 Correct. I won't support that in the code, but you can trivially modify it if you really want to do this. > Put those user's local parts in /etc/exim/sa_skip (lsearch format). > In the SAEximRunCond setting include something like this : >=20 > SAEximRunCond: ${lookup {$local_part} lsearch {/etc/exim/sa_skip} {0}{1}} =20 Yep, although you'll probably want this: SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_addre= ss}{1 27.0.0.1}} {! def:h_X-Spam-Flag:} } {1}{0} {${lookup {$local_part} lsearch = {/etc/exim/sa_skip} {0}{1}}}} This will save you from: 1) scanning messages that are generated locally on your machine 2) Not scan messages that were already scanned elsewhere (unless you decide not to trust the header) Marc --=20 Microsoft is to operating systems & security .... .... what McDonalds is to gourmet coo= king =20 Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP= key --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBPPVu6X4xUKZ2O+kBAQGIXQQA2hLezRlXaZcZtVXoRPGgVMcMqsLHh0Tx mVA206CQfehNp4imIWXKWiMFTe0SUYmBkoNcAQGENAiDaaRce1NbCCxb4EUXx7qp S1fGT8Ik4k/SG9cN+zPhT3BQJlDi5Xlazvm4Bqd6t+UI0Wm4CaQADVJnioZLQRD6 fNklgi1UsCE= =oy+c -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1-- From merlin@merlins.org Wed May 29 17:18:36 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #137 (Debian)) id 17DDeF-00073C-00; Wed, 29 May 2002 17:18:35 -0700 Date: Wed, 29 May 2002 17:18:35 -0700 From: Marc MERLIN To: Patrice Fournier , sa-exim@lists.merlins.org Subject: Re: [SA-exim] small requests Message-ID: <20020530001834.GC16325@merlins.org> References: <1022707591.3cf54787b5b45@www.courrier.sabius.net> <20020529231337.GA32270@dman.ddts.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <1022565213.3cf31b5da71d7@www.courrier.sabius.net> <20020528155357.GA26083@dman.ddts.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <1022565213.3cf31b5da71d7@www.courrier.sabius.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <20020529055344.GY22319@merlins.org> <1022707591.3cf54787b5b45@www.courrier.sabius.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mojUlQ0s9EVzWg2t" Content-Disposition: inline In-Reply-To: <20020529231337.GA32270@dman.ddts.net> <1022707591.3cf54787b5b45@www.courrier.sabius.net> User-Agent: Mutt/1.3.28i X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 2.4.14-lvm1.0.1rc4-ext3-0.9.15-grsec-1.8.8-servers11/Debian woody X-Mailer: Some Outlooks can't quote properly without this header X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Thu, 30 May 2002 00:18:37 -0000 --mojUlQ0s9EVzWg2t Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 29, 2002 at 05:26:31PM -0400, Patrice Fournier wrote: > > Mmmh, it's actually hard. > > The reason is that it runs as UID/GID mail or exim or whatever, and > > that user is typically not allowed to create directories in /var/spool >=20 > should be allowed to create directories in /var/spool/exim which is the > where they are when using your example config file... =20 You're right, I got confused. I'll add a few mkdirs and not check for error if they fail somehow. =20 > > > - When rejecting mail, should (be able to) log the connected host IP > > > and the sender and recipients addresses as Exim won't do it. > >=20 > > Mmmh, I'll add that to the wishlist. > > Mainlog, rejectlog or both? >=20 > I'd say both if we want to be consistent with how other rejects are logged > in Exim. I'll add that to the list of things to do. On Wed, May 29, 2002 at 06:13:37PM -0500, dman wrote: > | I'd also like to have an option to save messages that are tagged as spam > | but still let through. I know I could just set a router to do this, but= I'd > | prefer to keep the spam settings in sa-exim. >=20 > You can set the sa-exim threshold to be higher than SA's threshold. > The messages will be tagged if they exceed SA's threshhold, but will > only be rejected if they exceed sa-exim's threshold. Correct. Is this what you needed Patrice? Marc --=20 Microsoft is to operating systems & security .... .... what McDonalds is to gourmet coo= king =20 Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP= key --mojUlQ0s9EVzWg2t Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBPPVv2n4xUKZ2O+kBAQHysAQA4XCiscfEnqYJTqu96ipcx67nihn9edxp VgpDrgyKC0ujFd5l8HHDzDxBa2raes3lDrV2yFSK6q169raa+by2HA93ABhUOe2M S7CkMI3/dkX7JWIg3i6lFi8vaHWT1zKf2iaCh5yXEw9Jy6C0W5sbDsTbiqsbHoCL 9ba7ubtwnZ0= =omjp -----END PGP SIGNATURE----- --mojUlQ0s9EVzWg2t-- From pfournier@loups.net Wed May 29 17:38:11 2002 Received: from sabius.net ([216.187.105.31]:34358 helo=mail.sabius.net) by mail2.merlins.org with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 4.04 #137 (Debian)) id 17DDx3-0004br-00 for ; Wed, 29 May 2002 17:38:01 -0700 Received: from amavis by mail.sabius.net with scanned-ok (Exim 4.04) id 17DDww-0003DQ-00; Wed, 29 May 2002 20:37:54 -0400 Received: from www-data by mail.sabius.net with local (Exim 4.04) id 17DDwv-0003DH-00; Wed, 29 May 2002 20:37:53 -0400 Received: from mon-pq55-111.netcom.ca ( [mon-pq55-111.netcom.ca]) as user patrice@loups.net by www.courrier.sabius.net with HTTP; Wed, 29 May 2002 20:37:53 -0400 Message-ID: <1022719073.3cf574618d8d6@www.courrier.sabius.net> Date: Wed, 29 May 2002 20:37:53 -0400 From: Patrice Fournier To: Marc MERLIN Cc: sa-exim@lists.merlins.org References: <1022707591.3cf54787b5b45@www.courrier.sabius.net> <20020529231337.GA32270@dman.ddts.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <1022565213.3cf31b5da71d7@www.courrier.sabius.net> <20020528155357.GA26083@dman.ddts.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <1022565213.3cf31b5da71d7@www.courrier.sabius.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <20020529055344.GY22319@merlins.org> <1022707591.3cf54787b5b45@www.courrier.sabius.net> <20020530001834.GC16325@merlins.org> In-Reply-To: <20020530001834.GC16325@merlins.org> MIME-Version: 1.0 User-Agent: Internet Messaging Program (IMP) 3.1 X-Originating-IP: 216.123.133.239 X-Virus-Scanned: by AMaViS 0.3.12pre6 Subject: Re: [SA-exim] small requests Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Spam-Status: No, hits=-103.2 required=7.0 tests=IN_REP_TO,MSG_ID_ADDED_BY_MTA_3,USER_IN_ALL_SPAM_TO version=2.21 X-Spam-Level: X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Thu, 30 May 2002 00:38:11 -0000 Quoting Marc MERLIN : > On Wed, May 29, 2002 at 06:13:37PM -0500, dman wrote: > > | I'd also like to have an option to save messages that are tagged as > > | spam but still let through. I know I could just set a router to do > > | this, but I'd prefer to keep the spam settings in sa-exim. > > > > You can set the sa-exim threshold to be higher than SA's threshold. > > The messages will be tagged if they exceed SA's threshhold, but will > > only be rejected if they exceed sa-exim's threshold. > > Correct. > Is this what you needed Patrice? No, I already do this, but I'd like sa-exim to save those messages in a /var/spool/exim/SAflagged dir or something so that I could look at those messages and see if my permreject treshold could be lowered without rejecting false positive... of course, I could just setup a router which check for X-Spam-flag header and save them in that dir (and that's probably what I'll do in the mean time and if it never gets implemented in the official release and I get the time to code it, I'll see if I want to keep a local patch or leave it to a router) Thanks, -- Patrice Fournier pfournier@loups.net From dman@dman.ddts.net Wed May 29 17:40:24 2002 Received: from [65.107.69.216] (port=36562 helo=dman.ddts.net) by mail2.merlins.org with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 4.04 #137 (Debian)) id 17DDzH-0003mv-00 for ; Wed, 29 May 2002 17:40:19 -0700 Received: from dman by dman.ddts.net (Exim 4.04 #10 (Debian)) protocol: local id 17DE8Y-0000Ga-00 for ; Wed, 29 May 2002 19:49:54 -0500 Date: Wed, 29 May 2002 19:49:54 -0500 From: dman To: sa-exim@lists.merlins.org Message-ID: <20020530004954.GA985@dman.ddts.net> Mail-Followup-To: sa-exim@lists.merlins.org References: <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <1022565213.3cf31b5da71d7@www.courrier.sabius.net> <20020528155357.GA26083@dman.ddts.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <1022565213.3cf31b5da71d7@www.courrier.sabius.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <20020529055344.GY22319@merlins.org> <1022707591.3cf54787b5b45@www.courrier.sabius.net> <20020530001834.GC16325@merlins.org> <1022719073.3cf574618d8d6@www.courrier.sabius.net> Mime-Version: 1.0 Content-Disposition: inline In-Reply-To: <1022719073.3cf574618d8d6@www.courrier.sabius.net> User-Agent: Mutt/1.3.28i X-Operating-System: Debian GNU/Linux X-Kernel-Version: 2.4.18-custom.3 X-Uptime: 19:48:07 up 18 days, 4:05, 10 users, load average: 0.00, 0.00, 0.00 X-Editor: VIM - Vi IMproved 6.1 (2002 Mar 24, compiled May 4 2002 18:34:55) Subject: Re: [SA-exim] small requests Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LQksG6bCIzRHxTLp" X-Spam-Status: No, hits=-103.1 required=7.0 tests=IN_REP_TO,FROM_NAME_NO_SPACES,SIGNATURE_DELIM,USER_IN_ALL_SPAM_TO version=2.21 X-Spam-Level: X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Thu, 30 May 2002 00:40:24 -0000 --LQksG6bCIzRHxTLp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 29, 2002 at 08:37:53PM -0400, Patrice Fournier wrote: | Quoting Marc MERLIN : | > On Wed, May 29, 2002 at 06:13:37PM -0500, dman wrote: | > > | I'd also like to have an option to save messages that are tagged as | > > | spam but still let through. I know I could just set a router to do | > > | this, but I'd prefer to keep the spam settings in sa-exim. | > >=20 | > > You can set the sa-exim threshold to be higher than SA's threshold. | > > The messages will be tagged if they exceed SA's threshhold, but will | > > only be rejected if they exceed sa-exim's threshold. | >=20 | > Correct. | > Is this what you needed Patrice? |=20 | No, I already do this, but I'd like sa-exim to save those messages in a | /var/spool/exim/SAflagged dir or something so that I could look at those | messages and see if my permreject treshold could be lowered without | rejecting false positive... Ahh, ok. | of course, I could just setup a router which check for X-Spam-flag | header and save them in that dir Or you could put it in the system filter. That also gives you the option of using 'seen' or 'unseen' depending on whether or not you want it to continue on to the user. -D --=20 A kindhearted woman gains respect, but ruthless men gain only wealth. Proverbs 11:16 =20 GnuPG key : http://dman.ddts.net/~dman/public_key.gpg --LQksG6bCIzRHxTLp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjz1dzIACgkQO8l8XBKTpRQ5xACgxWWXXH1vJC/mSHmR6lbzcZJZ NikAmweu4FG5d+MEas+7WpjiuO0ruqqv =kirw -----END PGP SIGNATURE----- --LQksG6bCIzRHxTLp-- From merlin@merlins.org Wed May 29 17:44:50 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #137 (Debian)) id 17DE3d-00062h-00; Wed, 29 May 2002 17:44:49 -0700 Date: Wed, 29 May 2002 17:44:49 -0700 From: Marc MERLIN To: Patrice Fournier Cc: sa-exim@lists.merlins.org Subject: Re: [SA-exim] small requests Message-ID: <20020530004449.GF16325@merlins.org> References: <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <1022565213.3cf31b5da71d7@www.courrier.sabius.net> <20020528155357.GA26083@dman.ddts.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <1022565213.3cf31b5da71d7@www.courrier.sabius.net> <1022553782.3cf2eeb6a85fd@www.courrier.sabius.net> <20020529055344.GY22319@merlins.org> <1022707591.3cf54787b5b45@www.courrier.sabius.net> <20020530001834.GC16325@merlins.org> <1022719073.3cf574618d8d6@www.courrier.sabius.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1022719073.3cf574618d8d6@www.courrier.sabius.net> User-Agent: Mutt/1.3.28i X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 2.4.14-lvm1.0.1rc4-ext3-0.9.15-grsec-1.8.8-servers11/Debian woody X-Mailer: Some Outlooks can't quote properly without this header X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Thu, 30 May 2002 00:44:50 -0000 On Wed, May 29, 2002 at 08:37:53PM -0400, Patrice Fournier wrote: > Quoting Marc MERLIN : > > On Wed, May 29, 2002 at 06:13:37PM -0500, dman wrote: > > > | I'd also like to have an option to save messages that are tagged as > > > | spam but still let through. I know I could just set a router to do > > > | this, but I'd prefer to keep the spam settings in sa-exim. > > > > > > You can set the sa-exim threshold to be higher than SA's threshold. > > > The messages will be tagged if they exceed SA's threshhold, but will > > > only be rejected if they exceed sa-exim's threshold. > > > > Correct. > > Is this what you needed Patrice? > > No, I already do this, but I'd like sa-exim to save those messages in a > /var/spool/exim/SAflagged dir or something so that I could look at those > messages and see if my permreject treshold could be lowered without > rejecting false positive... of course, I could just setup a router which Ok, added to the list. Marc -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From pfournier@loups.net Wed May 29 18:11:04 2002 Received: from sabius.net ([216.187.105.31]:34549 helo=mail.sabius.net) by mail2.merlins.org with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 4.04 #137 (Debian)) id 17DESy-00037u-00 for ; Wed, 29 May 2002 18:11:00 -0700 Received: from amavis by mail.sabius.net with scanned-ok (Exim 4.04) id 17DESv-0003IU-00; Wed, 29 May 2002 21:10:57 -0400 Received: from www-data by mail.sabius.net with local (Exim 4.04) id 17DESu-0003IL-00; Wed, 29 May 2002 21:10:56 -0400 Received: from mon-pq55-111.netcom.ca ( [mon-pq55-111.netcom.ca]) as user patrice@loups.net by www.courrier.sabius.net with HTTP; Wed, 29 May 2002 21:10:56 -0400 Message-ID: <1022721056.3cf57c201da83@www.courrier.sabius.net> Date: Wed, 29 May 2002 21:10:56 -0400 From: Patrice Fournier To: Marc MERLIN Cc: sa-exim@lists.merlins.org References: <0FE563CEB3B3D51185CB00508B667DEE59E059@MS01> <20020529232130.GB32270@dman.ddts.net> <20020530001433.GB16325@merlins.org> In-Reply-To: <20020530001433.GB16325@merlins.org> MIME-Version: 1.0 User-Agent: Internet Messaging Program (IMP) 3.1 X-Originating-IP: 216.123.133.239 X-Virus-Scanned: by AMaViS 0.3.12pre6 Subject: Re: [SA-exim] PermReject Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Spam-Status: No, hits=-103.2 required=7.0 tests=IN_REP_TO,MSG_ID_ADDED_BY_MTA_3,USER_IN_ALL_SPAM_TO version=2.21 X-Spam-Level: X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Thu, 30 May 2002 01:11:04 -0000 Quoting Marc MERLIN : > Yep, although you'll probably want this: > SAEximRunCond: ${if and {{def:sender_host_address} {!eq > {$sender_host_address}{127.0.0.1}} {! def:h_X-Spam-Flag:} } {1}{0} > {${lookup {$local_part} lsearch {/etc/exim/sa_skip} {0}{1}}}} > > This will save you from: > 1) scanning messages that are generated locally on your machine > 2) Not scan messages that were already scanned elsewhere (unless you > decide not to trust the header) If you leave the X-Spam-Flag: check there, it also means that a spam tagged as such by another system won't be rejected by sa-exim even if it scored 200, right? hmmm.. is $local_part really available there? What's in there when the message is destined to multiple recipients? Why don't we use this to check for postmaster instead of the X-SA-Disable header? While were at it, as anyone configured sa-exim to scan/reject messages to some users while accepting it to others? I was thinking about something like this using the rcpt ACL: if (first recipient) set a variable/header to indicate if SA must run for that recipient else if (current_recipient SA setting != first recipient SA setting) temp reject Now, if SA setting is a boolean value sometimes some recipients will receive temp reject thus permiting us to still reject the message at SMTP time for those users who don't want it. Of course, this is best if no other ACL can produce temp reject (or at least, will not do so most of the time) I believe this would work correctly for connections from MTAs, I'm not sure how MUAs would react to this... Oh well, as I don't scan messages coming through authenticated connections and MUAs sending directly to a remote mx are sending spam most of the time (or is it always?) I don't care that much about how those MUAs will behave. How does yahoo does rejections of only some of the recipients? (it's yahoo that only rejects after DATA, right?) Fail the message and tell in the failure that some addresses did actually go through? I'm not sure I'd like this... Thanks, -- Patrice Fournier pfournier@loups.net From merlin@merlins.org Wed May 29 18:32:17 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #137 (Debian)) id 17DEnY-0005jy-00; Wed, 29 May 2002 18:32:16 -0700 Date: Wed, 29 May 2002 18:32:16 -0700 From: Marc MERLIN To: Patrice Fournier Cc: sa-exim@lists.merlins.org Subject: Re: [SA-exim] PermReject Message-ID: <20020530013216.GI16325@merlins.org> References: <0FE563CEB3B3D51185CB00508B667DEE59E059@MS01> <20020529232130.GB32270@dman.ddts.net> <20020530001433.GB16325@merlins.org> <1022721056.3cf57c201da83@www.courrier.sabius.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1022721056.3cf57c201da83@www.courrier.sabius.net> User-Agent: Mutt/1.3.28i X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 2.4.14-lvm1.0.1rc4-ext3-0.9.15-grsec-1.8.8-servers11/Debian woody X-Mailer: Some Outlooks can't quote properly without this header X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Thu, 30 May 2002 01:32:17 -0000 On Wed, May 29, 2002 at 09:10:56PM -0400, Patrice Fournier wrote: > If you leave the X-Spam-Flag: check there, it also means that a spam tagged > as such by another system won't be rejected by sa-exim even if it scored > 200, right? Correct, and it may not be what you need/want > hmmm.. is $local_part really available there? What's in there when the No. > message is destined to multiple recipients? Why don't we use this to check > for postmaster instead of the X-SA-Disable header? You can't access $local_part when you get there. hence, you need this warn message = X-SA-Disable: yes local_parts = postmaster > While were at it, as anyone configured sa-exim to scan/reject messages to > some users while accepting it to others? I remember having done so > I was thinking about something like this using the rcpt ACL: > if (first recipient) > set a variable/header to indicate if SA must run for that recipient > else > if (current_recipient SA setting != first recipient SA setting) > temp reject I'm not sure I understand, and not sure what you want to do would work either. > Now, if SA setting is a boolean value sometimes some recipients will > receive temp reject thus permiting us to still reject the message at SMTP > time for those users who don't want it. Of course, this is best if no other > ACL can produce temp reject (or at least, will not do so most of the time) local_scan runs after DATA, you can't have it do some things for some users and other things for other users unless you duplicate the mail and refeed it to exim The local_scan code does have access to the list of receipients, but you can't use them in condition since local_part would eval to a list and not a value. > How does yahoo does rejections of only some of the recipients? (it's yahoo mail from: 250 sender ok rcpt to: 250 recipient ok data 354 go ahead test From pfournier@loups.net Wed May 29 19:36:03 2002 Received: from sabius.net ([216.187.105.31]:35030 helo=mail.sabius.net) by mail2.merlins.org with esmtp (Cipher TLSv1:DES-CBC3-SHA:168) (Exim 4.04 #137 (Debian)) id 17DFnD-0006iT-00 for ; Wed, 29 May 2002 19:35:59 -0700 Received: from amavis by mail.sabius.net with scanned-ok (Exim 4.04) id 17DFn7-0003To-00; Wed, 29 May 2002 22:35:53 -0400 Received: from www-data by mail.sabius.net with local (Exim 4.04) id 17DFn7-0003Tf-00; Wed, 29 May 2002 22:35:53 -0400 Received: from mon-pq55-111.netcom.ca ( [mon-pq55-111.netcom.ca]) as user patrice@loups.net by www.courrier.sabius.net with HTTP; Wed, 29 May 2002 22:35:52 -0400 Message-ID: <1022726152.3cf59008e5673@www.courrier.sabius.net> Date: Wed, 29 May 2002 22:35:52 -0400 From: Patrice Fournier To: Marc MERLIN Cc: sa-exim@lists.merlins.org References: <0FE563CEB3B3D51185CB00508B667DEE59E059@MS01> <20020529232130.GB32270@dman.ddts.net> <20020530001433.GB16325@merlins.org> <1022721056.3cf57c201da83@www.courrier.sabius.net> <20020530013216.GI16325@merlins.org> In-Reply-To: <20020530013216.GI16325@merlins.org> MIME-Version: 1.0 User-Agent: Internet Messaging Program (IMP) 3.1 X-Originating-IP: 216.123.133.239 X-Virus-Scanned: by AMaViS 0.3.12pre6 Subject: Re: [SA-exim] PermReject Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Spam-Status: No, hits=-103.2 required=7.0 tests=IN_REP_TO,MSG_ID_ADDED_BY_MTA_3,USER_IN_ALL_SPAM_TO version=2.21 X-Spam-Level: X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Thu, 30 May 2002 02:36:04 -0000 Quoting Marc MERLIN : > > hmmm.. is $local_part really available there? What's in there when > No. Ok, so the suggestion to Craig was wrong then.. He would need the current SAEximRunCmd and this as ACL: warn message = X-SA-Disable: yes local_parts = /etc/exim/sa_skip > > While were at it, as anyone configured sa-exim to scan/reject messages > > to some users while accepting it to others? > > I remember having done so > > > I was thinking about something like this using the rcpt ACL: > > if (first recipient) > > set a variable/header to indicate if SA must run for that recipient > > else > > if (current_recipient SA setting != first recipient SA setting) > > temp reject > > I'm not sure I understand, and not sure what you want to do would work > either. > > > Now, if SA setting is a boolean value sometimes some recipients will > > receive temp reject thus permiting us to still reject the message at > > SMTP time for those users who don't want it. Of course, this is best > > if no other ACL can produce temp reject (or at least, will not do so > > most of the time) > > local_scan runs after DATA, you can't have it do some things for some > users and other things for other users unless you duplicate the mail > and refeed it to exim The local_scan code does have access to the > list of receipients, but you can't use them in condition since > local_part would eval to a list and not a value. That's why I would do the check in an RCPT ACL to make sure a message will contain (only users that want SA checking) || (only users that doesn't want checking) Here is an example of such an (untested) ACL: acl_smtp_rcpt = acl_rcpt begin acl acl_rcpt warn message = X-SA-Disable: yes local_parts = /etc/exim/sa_skip condition = ${if eq{{0}{$recipients_count}}} defer message = Administrative restrictions makes this recipient \ unavailable at the moment local_parts = /etc/exim/sa_skip condition = ${if and{{!eq{{0}{$recipients_count}}} \ {!eq{{yes}{$h_X-SA-Disable:}}}}} defer message = Administrative restrictions makes this recipient \ unavailable at the moment !local_parts = /etc/exim/sa_skip condition = ${if and{{!eq{{0}{$recipients_count}}} \ {eq{{yes}{$h_X-SA-Disable:}}}}} This is a quick try, conditions may not work exactly as shown, and I'm not sure defer is valid there, else we'll have to force a defer using another check that will always defer (or fix the code). You should still see what I have in mind. Now, a message which reaches local_scan always have it's recipients all wanting the same of running SA or not. If the first recipient in the list wants SA to run, every recipients who doesn't will be temporarily rejected, than all those who wants it will have their message passed through SA. After a couple of minutes, the remote server should try to send the defered recipients again and this time the recipient list will contain only users who doesn't want SA to run and vice-versa. > > How does yahoo does rejections of only some of the recipients? (it's > > yahoo > > mail from: > 250 sender ok > rcpt to: > 250 recipient ok > data > 354 go ahead > test Ooops, the message was terminated by the . on that line, can you send the end of it again? Thanks, -- Patrice Fournier pfournier@loups.net From merlin@merlins.org Wed May 29 19:59:05 2002 Received: from merlin by mail2.merlins.org with local (Exim 4.04 #137 (Debian)) id 17DG9Y-0002pu-00 for ; Wed, 29 May 2002 19:59:04 -0700 Date: Wed, 29 May 2002 19:59:04 -0700 From: Marc MERLIN To: sa-exim@lists.merlins.org Subject: Re: [SA-exim] PermReject Message-ID: <20020530025904.GA11142@merlins.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i X-Sysadmin: BOFH X-URL: http://marc.merlins.org/ X-Operating-System: Proudly running Linux 2.4.14-lvm1.0.1rc4-ext3-0.9.15-grsec-1.8.8-servers11/Debian woody X-Mailer: Some Outlooks can't quote properly without this header X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Thu, 30 May 2002 02:59:05 -0000 What the hell? There must be a bug in mutt, it should have escaped those dots, unless it's exim's job. > How does yahoo does rejections of only some of the recipients? (it's yahoo mail from: 250 sender ok rcpt to: 250 recipient ok data 354 go ahead test >. 554 delivery error: dd This user doesn't have a yahoo.com account (marcmerlinns@yahoo.com) - mta401.mail.yahoo.com mail from: 250 sender ok rcpt to: 250 recipient ok rcpt to: 250 recipient ok data 354 go ahead From: myadd@domain.tld To: you Subject: test test >. 250 ok dirdel 0/2 mail from: 250 sender ok rcpt to: 250 recipient ok rcpt to: 250 recipient ok data 354 go ahead From: myadd@domain.tld To: you Subject: test test >. 250 ok dirdel 1/1 (I did get that mail, but got no bounce for the bad address) > that only rejects after DATA, right?) Fail the message and tell in the > failure that some addresses did actually go through? I'm not sure I'd like > this... They do worse, if there is more than one RCPT, if any fails, they tell you that all succeeded DATA is not a good time to do processing that depends RCPT TO, trust me :-) Marc -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From CColes@keylabs.com Thu May 30 06:29:28 2002 Received: from [216.119.207.251] (port=54636 helo=ms01.keylabs.com) by mail2.merlins.org with esmtp (Exim 4.04 #137 (Debian)) id 17DPz8-00076N-00 for ; Thu, 30 May 2002 06:28:58 -0700 Received: by MS01 with Internet Mail Service (5.5.2653.19) id ; Thu, 30 May 2002 07:24:59 -0600 Message-ID: <0FE563CEB3B3D51185CB00508B667DEE59E06D@MS01> From: Craig Coles To: sa-exim@lists.merlins.org Date: Thu, 30 May 2002 07:24:49 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Subject: RE: [SA-exim] PermReject Content-Type: text/plain; charset="iso-8859-1" X-Spam-Status: No, hits=-100.0 required=7.0 tests=USER_IN_ALL_SPAM_TO version=2.21 X-Spam-Level: X-BeenThere: sa-exim@lists.merlins.org X-Mailman-Version: 2.1b2+ Precedence: bulk List-Help: List-Archive: List-Unsubscribe: , List-Subscribe: , List-Post: List-Id: Discussions on the SpamAssassin in exim at SMTP time X-List-Received-Date: Thu, 30 May 2002 13:29:28 -0000 Sorry I stepped out last night, thanks for the comments from all... I like being able to choose between devnull and/or reject levels. Reject is a more drastic decision and easier to implement when you are sure that the threshold you have chosen is acurate. In my case, I am trying to get users to let me lower the thresholds a little bit at a time. My thoughts were to reject at a higher level, one that I(we) know is doing what it is supposed to do, and devnull at a lower level just in case you go a little too low and don't want your clients email rejected (that looks bad!). Devnull and Reject can co-exist, I don't think it needs to be a 'one or the other' decision, but that's me. For Patrice, I was thinking about the system_filter rule solution... I do that now for select users but not for all, that's too much mail to store and keep track of that I would have to be the one to maintain (my mail solution receives, filters, then forwards mail on to an evil Exchange server for the company depending on the domain and other attributes). I'll look into some of the ACL solutions talked about in other mails for letting mail through un-scanned, thanks. -Craig -----Original Message----- Subject: Re: [SA-exim] PermReject On Wed, May 29, 2002 at 06:21:30PM -0500, dman wrote: > | I am currently devnulling above 18 and have been trying to do a permreject > | at 20 or above, however I see in the logs that the messages are 'silently > | tossed' according to the devnull rule of 18. I can't see where the > | permreject rule is being referenced. Have I missed something to enable it? > | (yes the SApermreject: 20 line is enabled...) > > That isn't possible as the code is right now. The relevant section > begins on line 729 (version 1.3) (snipped for clarity) : Eheh, you're hired :-) dman is perfectly right. spamassassin.conf says: # If you reach this score, the mail is accepted and tossed (/dev/nulled) # The default value is 99999 which should ensure this never happens. # You should be real sure that the message is spam because the sender will # get no notification #SAdevnull: 20.0 In other words, you can't reject for a higher score than you devnull. Quite frankly, I don't see why you would want to. The way I see it, you reject if you reach a certain score, and at least give the chance for the sender to know his mail wasn't received, but for things where you're even more sure it's spam, you _could_ just toss it. I believe it is an evil thing to do and don't do it myself, but I did provide the rope :-) > message. The code, right now, checks blackholing first, and since all > messages scoring >= 20 also score >= 18 it is blackholed. If you want > to reverse the order of the tests, for your site, you can do that. Correct. I won't support that in the code, but you can trivially modify it if you really want to do this. > Put those user's local parts in /etc/exim/sa_skip (lsearch format). > In the SAEximRunCond setting include something like this : > > SAEximRunCond: ${lookup {$local_part} lsearch {/etc/exim/sa_skip} {0}{1}} Yep, although you'll probably want this: SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{1 27.0.0.1}} {! def:h_X-Spam-Flag:} } {1}{0} {${lookup {$local_part} lsearch {/etc/exim/sa_skip} {0}{1}}}} This will save you from: 1) scanning messages that are generated locally on your machine 2) Not scan messages that were already scanned elsewhere (unless you decide not to trust the header)